Archives

All posts for the month December, 2015

Good Evening Friends. Today we will see how to hack a remote Linux PC with phpFileManager 0.9.8 rce exploit. rce stands for remote code execution. Phpfilemanager is a complete filesystem management tool on a single file.  Among the features of phpFileManager:
. server info
. directory tree
. copy/move/delete/create/rename/edit/view/chmod files and folders
. tar/zip/bzip/gzip
. multiple uploads
. shell/exec
. works on linux/windows
. php4/php5/apache2 compatible
. english/portuguese/spanish/dutch/french/german/italian/korean/russian/catalan translations.

It is used to manage files of webserver and it boasts of around 382 downloads per week. Its browser interface can be seen below.

phpfilem_1

We will try to hack into  a Ubuntu 12.10 PC from Kali Linux using this phpFilemanager 0.9.8 rce  exploit. Given below is the Video version of this howto. If you are interested in the textual version scroll down below the video version.

Start Metasploit. Search for the phpfilemanager exploit by typing command “search phpfilemanager” as shown below.

phpfilem_2

Load the exploit as shown below. Set the required options as shown below. Most of the options are all set except the remote host address, i.e your target’s IP address.

phpfilem_3

Type command “show payloads” to see the available payloads and set the payload you want. I have selected the payload highlighted below.

phpfilem_4

Set the payload and check if all required options are set by typing command “show options”.

phpfilem_5

Type command “exploit” to execute the exploit. If everything went well, you should get the remote pc’s shell as shown below.

phpfilem_6

It should look like shown below. Type command “ls” to see the contents of the present directory. as shown below. You can see the two files which we saw in our first picture. Now let us navigate to the etc directory as shown below.

phpfilem_7

And type command “vi passwd” to open the passwd file of the remote PC. Vi is the default text editor in Linux.

phpfilem_8

Good Evening friends. Today we will see how to hack a remote PC with ManageEngine Desktop Central 9 FileUploadServlet exploit.  Desktop Central is an integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones, and tablets from a central location. This exploit exploits  a vulnerability in ManageEngine Desktop Central  9 which when uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. Start Metasploit and load the exploit as shown below.  Set the required options. By default, Desktop Central 9 runs on port 8020. Leave the targeturi as default only.

deskcen91

Set the payload as shown below. I am trying to get the shell on remote system. To select a suitable payload, you can type “show payloads” and  choose the payload you want.  Set the required options as shown below.

deskcen92

When all the options are set, type command “exploit“. You should get shell on the remote windows PC as shown below. Hence we have successfully hacked a remote Windows PC with ManageEngine Desktop Central 9 FileUploadServlet exploit.

deskcen93

Good evening friends. Today we will see how to exploit PHP utility belt remote code execution vulnerability. All the credit for this exploit goes to one “WICS” of exploit-db.com. The exploit is shown below. Here in this howto, I will just show you how to use this exploit. For those guys who don’t know what PHP Utiltiy belt is, it is PHP utility belt is a ” set of tools for PHP developers. We can just install it in a browser-accessible directory and have at it.”

util_m1

Here is video version of this howto. If you want textual version scroll down.

This is how php utility belt can be set up as shown below.

util_m2

Before we try our exploit, let’s try to access a file known as “info.php” through the url as shown below. You will get an error as shown below.

util_m2a

Now enter the given PHP code as shown below and hit on “Run”. This is our remote command execution exploit.

util_m3

Now once again try to access the file you tried to access above. you should get the file listed as shown below. Hence we successfully did a remote command execution.

util_m4

Good Evening Friends. Today we will see how to use Limesurvey Unauthenticated File Download exploit to download files from the remote web server. To those who don’t know what Limesurvey is, it is is a free and open source on-line survey application written in PHP. It enables users using a web interface to develop and publish on-line surveys, collect responses, create statistics, and export the resulting data to other applications.

This exploit works on Limesurvey versions 2.0+ and 2.06+ Build 151014.  For this howto, I have installed Limesurvey on  a web server as shown below.

Here’s a video version. The textual version is below the video. Please scroll down.

For this howto, I have installed Limesurvey on  a web server as shown below.

limesurvey1

Given below are the files located in the Limesurvey directory which should not be accessible to anybody. We will try to download the “README” file using the Limesurvey Unauthenticated File Download exploit in Metasploit.

limesurvey2

Start Metasploit and load the exploit as shown below. Set the required options also as shown below. The “filepath” option is to set what file you want to download. I have chosen “readme” file as mentioned above. I have set the “traversal_depth” option to zero as the file I want to download is in the current folder only. You can set appropriately.

limesurvey3

Once again check the required options. It should be as below.

limesurvey4

Type command “run” and the file will be downloaded as shown below.  Happy hacking.

limesurvey5

 

NOTE: This is for education purpose only

Good Evening friends, today we will see about arbitrary file access vulnerability in Kodi 15. For those guys who have no idea what Kodi is, it is “an award-winning free and open source cross-platform software media player and entertainment hub for HTPCs. Kodi can be used to play almost all popular audio and video formats around.” We will exploit a LFI vulnerability in its web interface.

Before we start, let me make clear that the credit for finding this vulnerability goes to one “MICHAEL PRONK” of exploit-db. I am just showing how to use that exploit. The exploit is shown below.

kodid1

Ok, now let’s see it in real time. Open Shodan ( which means you should have an account there ) and search for “title:kodi os:linux” as shown below. We are searching for all Linux machines with Kodi installed on them. The results will be as shown below.

kodid2

Now open any one interface. It should look like below. Kodi, by default runs on port 8080.

kodid3

Now we will try to access the passwd file available in this  Linux machines. Just after port number, try this query

/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd 

as shown below. You should get the contents of passwd file as shown below.

kodid4

Here’s another example.

kodid5

 

Good Evening Friends. Today we will drift a little bit from our system hacking and get into mobile hacking. Actually I thought of skipping this howto as it has been a long time since this exploit has been released and I thought developers of Mercury browser may have patched it but recently checked out that the vulnerable version( Mercury v3.2.3) of this Mercury browser is still available for download. So let us see today how to hack Android with Mercury Browser parseuri exploit. Start Metasploit and load the exploit as shown below. Set the required options ( i.e actually we need to set only one option, localhost )

mercury_b1

Then type command “exploit” as shown below. A server will start at the localhost as shown below.

mercury_b2

Now the only thing we need to do is make the Android users open the above url with Mercury browser. Once the android user opens the link, the exploit will run as shown below.

mercury_b3

Now, on your localhost ( attacker machine ), open a browser and type  the android user’s IP address as shown below. We got the IP address in the above picture only. As shown below, you can access all the data of our victim.

mercury_b4

Given below are the victim’s Whatsapp data.

mercury_b6

Good Evening Friends. Today we will see how to hack remote Windows PC with Watermark Buffer Overflow exploit. To those newbies who don’t know what is Watermark master it is ” primarily meant for people who need to protect video or graphics files from illegal copying by putting a watermark (text or graphic information) over an image. Simple text, image file, animated GIF or video file can be used as watermark here. Besides, Watermark Master provides ability to apply a great number of various effects to a watermark, including dynamic effects. A dynamic effect implies variation of the watermark in time, for example, smooth appearance or disappearance of the watermark, movement of the watermark, etc. ” Today we will see how to hack a remote Windows 7 PC with Watermark master buffer overflow exploit. This vulnerability exists in Watermark Master 2.2.23.

You can watch the video version or scroll down if you are of  reading type.

Start Metasploit and load the exploit as shown below. Set the meterpreter/reverse_tcp payload.

watermark_m1

Set the required options as shown below.

watermark_m2

After setting all the required options, type “exploit”.

watermark_m3

But before doing that, we have to create a listener. The process is shown below.

watermark_m4

Set all the options. The lhost and lport values should be same as above.

watermark_m5

Type command “exploit”. The exploit will run and stop exactly as shown below.

watermark_m5a

Now send this file to the victim.

watermark_m6

Now when user opens this file as shown below,

watermark_m7

watermark_m8

We will get a meterpreter session as shown below.

watermark_m9

 

It is a dream of every hacker to bypass the antivirus solutions of their targets. Recently we have been learning about various payload generators that can bypass antivirus. In this howto, we will see one such payload generator which is designed to bypass antivirus. It’s named Shellter.

To say in the words of its makers, “By using Shellter, you automatically have an infinitely polymorphic executable template, since you can use any 32-bit ‘standalone’ native Windows executable to host your shellcode. By ‘standalone’ means an executable that is not statically linked to any proprietary DLLs, apart from those included by default in Windows. ”

Let us see how to install Shellter in Kali Linux. The version we are using here is the latest version Shellter V7.0 till date which can be downloaded from here. Go to the download page and download the zip file shown below.

Click on the link and save the file as shown below.

 

Once the download is finished, go to the Downloads folder. You will see the “shellter.zip” file as shown below. I copied the file to the root folder but if you want to keep the file in Downloads folder you can keep it. This step is not mandatory.

Now change the permissions of the zip file as shown below. Until you change the permission- s, you cannot unzip the files. After you change the permissions of the file, unzip the contents of the file using the “unzip” command.

Type “ls“. You will see a new directory with name “shellter”. You have successfully installed Shellter in Kali Linux. Navigate into the directory “Shellter” to see its contents as shown belo- w. We will see how to use Shellter to bypass antivirus in our next issue. Until then, happy hacking practice.

 

Here’s a video version of this howto