Archives

All posts by kanishka10

(Article taken from our Hackercool Magazine)

In our eternal journey of learning hacking and penetration testing, we need to install or set up so many software and labs. XAMPP server is one such important installation that may be useful to us especially if we want to become expert in web hacking.

XAMPP stands for Cross-Platform (X), Apache (A), MariaDB (M), PHP (P) and Perl (P). It is a simple, lightweight Apache distribution that makes it extremely easy for developers to create a local web server for testing and deployment purposes. It is open source and very simple to set up. Once we set up Xampp Server, we can install any CMS in it to practice website hacking or web security.

In this howto, we will see how to install Xampp web server in Ubuntu 16 Desktop. This Ubuntu Desktop is installed as a virtual machine in Vmware Player ( You can also use Oracle Virtualbox). Ubuntu (or for that matter any Linux distribution) has a default web server installed. But I decided to install Xampp server for its simplicity and ease of use.

Why are we setting this up in an Ubuntu system? Because most of the web servers in real life are set up in Linux and this makes it easy for us to simulate real world hacking attacks. Now let’s get to the installation part. Go to the downloads page of Xampp server and download the appropriate version (Many people download the 64 bit version and try to install it in 32 bit OS). For this tutorial, we are using the Xampp version 5.6.23.0 32 bit version since my OS is 32 bit.

The download should complete in a short time depending on the speed of your internet. Once the download is finished, open terminal. This can be done by clicking on search app at the top left of the Ubuntu Desktop and searching for terminal.

Once the terminal is open, navigate to the Downloads folder as shown in the image below. Type “ls” command to see a .run file of XAMPP server. Use command “chmod” to change the permissions of the “run” file. Once the colour of the .run file changes, execute the file by using command “./xampp-linux-5.6.23-0-installer.run” without quotes.

If you get an error as shown below, then you are not running with root privileges which are required for executing this file.

Click on “OK” and execute the .run file with “sudo” command as shown. When it prompts for sudo password, give the password.

The setup will start as shown below. Click on “Next”.

Click on “Next” again.

The system will show you the directory in which this server is being installed. Click on “Next”.

Click on “Next” again.

The system will show you a message that it is ready to install XAMPP server on your computer. Click on “Next”.

The installation process will start as shown below. It will take a bit long of time but it should not be too longer. Just go to a small stroll and come back.

After the installation is finished, you will be shown a window as below. Make sure that the “Launch XAMPP” checkbox is enabled and click on “Finish“.

The XAMPP server application is launched as shown below.

Go to tab “Manage Servers” as shown below. Make sure that Apache web server and MYSQL database servers are running. If any service is not running, you can start them using buttons given below. The services should be green in colour.

Now let’s see if you can access the phpmyadmin of the web server. PHPmyadmin allows yo- u to manage databases from the browser, Open a browser and type “localhost/phpmyadmin” in the tab to access phpmyadmin.  If everything went well, you should see this page shown below.

Now let’s see if we can access a website on the web server. In the browser window, just type “localhost” without quotes and you should see the webpage given below. This is the default webpage of XAMPP server.

Everything is set with our XAMPP web server. The XAMPP server can be started or stopped form the terminal using given commands as shown below.

 

 

 

Hello aspiring hackers. Today we will learn about Linux Configuration Enumeration POST Exploit. After getting a successful meterpreter session on the target Linux system (as shown here or here), the next logical step is to perform some enumeration on the target Linux machine. Metasploit has many POST exploits corresponding to Linux enumeration.

The first module we will see is Linux configuration enumeration. The enum_configs module is used to collect information from the configuration files found of applications commonly installed in the system. These applications may include Apache, Nginx, Snort, MySQL, Samba, Sendmail, sysctl, cups, lampp and SNMP etc. This POST module searches for a config file in the application’s default path and if the application exists on the target system, the module will download the files and store it.

If the application doesn’t exist or the config file is moved from its default location, this module will display the “file not found” message. (Just like any POST exploit or as shown in the shell_to_meterpreter exploit, we need to background the current session and load the POST module as shown above. Then set the session id and run the exploit). Here is the enum configs module in action as shown below.

 

 

Hello aspiring hackers. In this howto we will learn about WordPress Mobile Detector Plugin  upload and execute module .WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. It is very popular not only for the ease with which a website can be set up using it, but also how simply multiple plugins and themes can be added in it to give extended functionality without much hassle. But these plugins can pose a high security risk if not properly coded.

One such plugin is WordPress Mobile Detector. This plugin is used to display content on WordPress sites in a format suitable for phones and tablet devices. This plugin is used mostly by business users. Version 3.5 of this plugin is affected with file upload vulnerability. A hacker can upload malicious arbitrary files and execute them.

Let us see how this module works. Load the module and check the options it requires as shown below.

The options this module requires are the remote host address (target address), the targeturi and the local host address (IP address of Kali Linux). The only thing that can go wrong in setting options is that of targeturi, the location where WordPress is installed. If you set it wrong, this module may not work. Check if the target is indeed running the vulnerable version of the plugin using the “check” command.

Execute the modue using the “run” command. If everything went well, you should get a meterpreter shell on the target machine as shown below. You can see in the image below as to how this exploit works. This vulnerability is an arbitrary file upload vulnerability which allows hackers to upload any file into the target web server So this module first creates a malicious file, hosts it on a web server and uploads it into the target web server using this vulnerability.

We will be back with a new exploit next time. Until then, Goodbye.

Hello aspiring hackers, as you already know, the latest version of Kali, Kali rolling edition 2017.3 has been released. In this howto, we will see how to install Kali Linux 2017.3 in VirtualBox. The newest edition of Kali Linux gives users the best of all worlds – the stability of Debian, together with the latest versions of the many outstanding penetration testing tools created and shared by the information security community. The best feature I like in this version is constantly updated tools. Now let us start with the installation part. Download the latest version of Kali Linux from here.

For this howto, we will use VirtualBox version 5.30 (the latest version till date) which can be downloaded from here. Before we start the installation there’s a small step we need to perform. Enabling Virtualization technology in the host (the system on which VirtualBox is installed or being installed).

Virtualization is a feature included in processors which when enabled will help in accelerating virtual machines used by Virtualbox, Vmware or Hyper-V. Intel Processors have Intel-VTx and  AMD processors have AMD-V hardware acceleration features. I don’t know what exactly is the reason but this feature is disabled by default in modern CPU’s. This feature can be enabled by booting into the BIOS or UEFI.

The BIOS key is different for different PC brands. Here I have given the BIOS hot keys for some popular PC brands I collected from internet.

Acer – Del or F2                                                                                                                                Asus – Del, F2 or F9                                                                                                                            Acer – Del or F2                                                                                                                                  Compaq Presario – F10                                                                                                                        Dell – F2 or F12                                                                                                                                      HP – Esc or F10                                                                                                                                      Lenovo -F1 or F2                                                                                                                                    Samsung – F2                                                                                                                                        Sony – F2                                                                                                                                        Toshiba – Esc, F1 or F12

To boot into BIOS, you need to restart the system and start pressing the respective hot key for your PC brand. Once you boot into BIOS,you will see a screen as shown below. This is a BIOS screen for a Lenovo system.

Enable that feature as shown below and Save the options and exit.

With that taken care of,  Open Virtualbox and go to “Machine” and click on “New” or hold “CTRL+N”. The below window will pop up.

Click on “Expert Mode” and the window should transform as shown below.

Choose the name for your virtual machine. I named it Kali 2017.3. Choose the OS type as “Linux” and version as “Debian(32 bit)” ( since I am installing 32bit version.). Allocate memory of atleast 1GB. Keep other options default and click on “Create”.

Allocate hard disk size around 14GB or minimum 10GB and click on “Create”.

A virtual machine is created. Now open its settings, go to system settings and enable the PAE/NX feature as shown below.

Turn on the Virtual machine. It should start up as shown below.

Browse to the ISO file of Kali Linux we downloaded.

In our previous guides, we were performing Install. For a change, we will do the Graphical Install this time. Select the Graphical Install Option.

Choose the language as “English” or as applicable. Click on “Continue“.

Select the location of your choice. I chose “India.” Click on “Continue“.

Choose your keyboard. Click on “Continue“.

The system will load some additional components and then prompt you for the hostname. Enter hostname and click on  the “Continue” button.

Give any domain name if you want. However it is optional. You can even leave it blank. Click on  “Continue”.

The system will prompt you to set the root password. Enter the root password, confirm it  and click on “Continue.”

The system will prompt you to partition disks. If you are not sure what to do or a novice, choose “Guide-use entire disk” option. Click on “Continue“.

Click on “Continue“.

Select the partitioning scheme of your choice. If you are a new user, choose the first option as recommended. Click on “Continue“.

Then we will be shown an overview of current settings we chose. Choose the option “Finish partitioning and write changes to disk.” and Click on “Continue“.

Select the option “Yes” to write the changes to disk. Click on “Continue”.

The installation will start. It will take a bit of time to be finished.

In the middle of the process, you will be prompted if you want to use a network mirror. select “No” or “Yes” according to your choice. I chose “YES”.

In the “Proxy” window, leave it blank and Click on “Continue“.

Then system will ask you whether to install the grub Boot loader or not. Select “Yes” and click on “Continue“.

Select the highlighted option and click on “Continue”.

When the installation is completed, the system will ask you to boot into the system. Click on “Continue” to perform this.

The system will reboot into the operating system. Enter the username as “root” and the password as configured above. Now comes the most interesting but contentious part. Yes, installation of guest additions. Open a terminal and type command “apt update && apt -y dist-upgrade” without quotes. This will update system to the latest packages and repositories.

Reboot the system using “reboot” command to make sure system is updated.  Now to install Guest Additions, type command “apt -y install virtualbox-guest-x11” without quotes in the terminal. This will take some time so don’t panic. Just wait and watch.

Reboot  the system again. This will successfully install Guest Additions in Kali. Hope this was helpful. If you face any problems during installation, please leave a comment below. Thanks.

In the previous howto, we have seen how to research about a vulnerability in the FTP service running on our target system and exploit it to gain a shell on that system. In this howto, we will  see hacking the SSH service running on port 22. It can be seen that the target is running OPenSSH 4.7p1 SSH server.

I googled about the above mentioned version to find out if it had any vulnerabilities and exploits for those vulnerabilities. After an arduous search, I found one exploit but that seemed to be not working (Its not always a positive result in hacking).

Remember that we already gained a shell on the SSH server in one of our previous howtos. We did this using the credentials we obtained during enumeration of the target system. (This is why enumeration is so important). We used this credentials in a Metasploit SSH login module to get a shell on our target system.

This time we will see another way of gaining access to the SSH server using the same module. This SSH login module can also be used to brute force the credentials of the SSH server. Let’s see how it works. Load the module and check the required options.

In order to brute force the credentials, we need to specify a dictionary for cracking username- s and passwords in the similar fashion we set while using Hydra. We will use the same dictionary we have used while performing password cracking with Hydra.

I have set the same file for both username and passwords. To conserve time I have set the option “stop_on_success” to True. This option will stop the brute forcing if it finds even one login credential. I have set the “verbose” option also to TRUE. This module is normally used to brute force multiple SSH servers at once. That’s the reason it has “RHOSTS” option instead of “RHOST” option. Any how we can still set a single IP as target. All the options are shown as below.

After all the options are set, execute the exploit using the command “run”.

Once the password is cracked successfully, the module displays the credentials and automatically gives us a shell on the target system as shown in the above image. The available sessions can be viewed as shown below.

We can also login into the SSH server using the credentials we obtained prior as shown below.

Hello aspiring hackers. The exploit we will see today is a POST exploitation Metasploit exploit that performs Powershell enumeration in Windows. Windows PowerShell is a task automation and configuration management framework designed by Microsoft which consists of a command line shell and associated scripting language built on the .NET Framework and .NET Core.

PowerShell provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems. Its same as a command line shell but powershell is more powerful than CMD. It is a very helpful tool for network asministrators. If used properly, it can also be used by hackers to the full potential.

But we need to know about the Powershell settings installed on the target system for this. This powershell enumeration module exactly does that for us. Let us see how this module works. Just like any Metasploit POST module, we need to have a valid meterpreter session to run this module. Background the current meterpreter session and load the powershell environment enumeration module as shown below. Type command “info” to view the information about this module as shown below.

Type command “show options” to view the options to be configured. Set the session ID of the meterpreter session we just sent to background and execute the module using command “run”.

As you can see in the image above, our module successfully completed powershell enumeration of the target machine. Powershell version 2.0 is installed on our target system an there are no powershell snap-ins are installed. It seems none of the users have powershell profiles.

Hello aspiring hackers. The module we will learn about today is the Git Submodule Command Execution Exploit. If you are a developer, cyber security enthusiast or at least a computer user, you should have definitely used (or heard about) Github. Git is an open source version control system developed by none other than the awesome Linus Trovalds (yes the same guy who created Linux).

It is a system designed to keep in touch with constant changes made to the code of software by developers. GitHub is a popular hub where developers store their projects and network with like minded people. Github stores information in a data structure called a repository. The particular module exploits a vulnerability in Git submodule.

Git submodules allow users to attach an external repository inside another repository at a specific path.This vulnerability in the Git submodule can be exploited by an attacker who can change the URL of a sub- module in a repository. This URL in the submodule can be changed to point towards a malicious link.

This module is a local exploit and works on Git versions 2.7.5 and lower. Now let us see how this module works. Start Metasploit and load the exploit as shown below. Type command “show options” to see all the options we need for this module to run.

First, we need to configure the malicious Git server. Set the options : LHOST, git_uri and Iport options as shown below. The git_uri option sets the malicious git submodule. Use command “run” to start our Git server. As the user git clones from our URL, we will get a command session on the target.

Now we need to send this malicious Git url to our intended victims. Probably it should be set as a software to convince the users to clone into their machine. Here we are testing this on KaIi Linux 2016 machine which has the vulnerable version of Git installed. We need to instruct the user to update the submodule just cloned. Let us see what happens on the victim machine.

As this happens in our victim system, we will already get a command shell on our attacker system as shown below.

We can see the active sessions using the command “sessions”.

 

In the previous howto, we saw how information about the services running in the target system can help us in researching about them and finding vulnerabilities in those software. For example, imagine I am a black hat who performed a Nmap scan on the target (in this case, Metasploitable). The target has displayed so many banners of the services running.

Let us see if we can try out the FTP service at port 21 to get access to the system. Since I am a black hat, assume I have not performed any automated vulnerability scan. Following the process shown in the last howto, I google about vsftpd 2.3.4.

I got a lot of information about the FTP service at port 21. Vsftpd stands for very secure FTP daemon and the present version installed on Metasploitable 2 (1.e 2.3.4) has a backdoor installed inside it. It seems somebody uploaded a backdoor installed Vsftpd daemon to the site. This malicious version of vsftpd was available on the master site between June 30th 2011 and July 1st 2011. So our target might be using the malicious version. While searching for exploit on exploit database, I found a Metasploit exploit for this vulnerability. So I start Metasploit and search for the exploit. I found it after some time.

I loaded the module and checked its options using “show options” command.

The only option required is the IP address of our target to be specified in the RHOST option. I set the RHOST option and execute the exploit using the “run” command.

I successfully got a shell on the target system as shown in the image above. I try out some basic Linux commands. As this shell has root privileges (shown in the above image), I decided to have a look at the passwd file of the target. Here it is.

Since we have shell access, we can perform all tasks which we perform from the terminal of a Linux system. We can even shutdown the remote system but keep in mind that you will lose your access to the system.

Recently, we saw the Windows Fodhelper Privilege escalation exploit. Today we will learn about another Windows privilege escalation exploit that works on machines from Windows 7 to Windows 10. This exploit bypasses the User Account Control of the Windows and gives us system privileges. Its called Windows BypassUAC COMhijack exploit. How does it do this? Let us see.

COM stands for Component Object Model. It acts as a binary interface between various processes of different programming languages. In Windows, is is the basis for several other Microsoft technologies like OLE, OLE Automation, Browser Helper Object, ActiveX, COM+, DCOM, Windows shell, DirectX and Windows Runtime.

This module will bypass Windows UAC by creating COM handler registry entries in the Hive Key Current User hive. These created registry entries are referenced when certain high integrity processes are loaded which eventually results in the process of loading user controlled DLLs (as you already know DLLs are Dynamic Link Libraries).

These DLLs the exploit loads contain the payloads that result in elevated sessions. After the payload is invocated, registry key modifications this module makes are cleaned up. This module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

Now let us see how this exploit works. As for every privilege escalation exploit, we need to already have a meterpreter session like the one we have here, here and here.  Background the current meterpreter session and remember the session id. Search for the bypassuac_comhijack module as shown below.

Load the bypassuac_comhijack module as shown below and check its options by using the “show options” command as shown below.

Set the session id as shown below and execute the exploit using “run” command as shown below. If everything went right, we will have another meterpreter session as shown below.

Check the privileges using the “getuid” command. If you still don’t have system privileges, run command “getsystem” and even if it results in an error, check your privileges once again using command “getuid“. You should definitely have system privileges by now.

Hello aspiring hackers. Welcome back. Previously we have seen how to exploit vulnerabilities in C&C servers of some popular malware like Darkcomet and PoisonIvy RATs. Today we will see how to exploit a vulnerability in another popular RAT named GhostRAT and hack a system.

Gh0st RAT is a remote access trojan designed for the Windows platform which was used by operators of GhostNet to hack into some of the most sensitive computer networks. It is actually a cyber spying computer program. Every RAT has a command & control server also called controller.

This module exploits a buffer overflow vulnerability in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability allows a hacker to execute remote code on the target machine.

Its highly unlikely that you will find a system with Gh0stRAT command and control server installed during a pentest, but we can’t say anything. So imagine a scenario where I am port scanning a network for systems with port 80 open and find this machine.

Then I perform a verbose scan on this machine to know what exactly is running on port 80 and I get this.

In the ensuing research I find out that this is a GhostRAT Command and Control Server and there is a Metasploit module for this RAT. I am not yet sure if my target is running the vulnerable version of this RAT. So I fire up Metasploit and search for the module as shown below.

I load the exploit and check its options as shown below.

I set the target IP and use the “check” command to see if our target is vulnerable to this exploit. The target appears to be vulnerable. I execute the exploit using the “run” command and voila, I get a meterpreter session successfully as shown below.

 

I check the privileges and system information using “getuid” and “sysinfo” commands respectively.