Posts

Showing posts from 2015

CTF Hack Dat Kiwi Writeups

Image
           I've participated in a CTF hack dat kiwi held on 19th and 20th November 2015. The CTF was organized by Abius X. Let me tell you this was one of the finest CTF that I've every participated. Everything was awesome and organised. I've solved few challenges and was at 234th rank  http://hack.dat.kiwi/scoreboard  (Handle: Transformers) SSL_Sniff 1 (50 points) A wireshark file was given (dump.pcap) can be found https://www.dropbox.com/s/85f7kipys931m8n/dump.pcap?dl=0

MY OSCP REVIEW

Image
MY OSCP REVIEW About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai. Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security. And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less. So I asked few question on some group in facebook regarding How can I learn more exploitation stuff. There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I

Walkthrough Tr0ll 2 VM (Vulnhub)

Image
Tr0ll 2 vulnerable VM walkthrough. 1) Nmap scan:

EchoServer (Strcpy) bufferoverflow Securitytube Exploit research Megaprimer

Image
       This blog is all about Exploit Research Video #3 form Pentester Academy/Security Tube. The exploit Research Megaprimer can be found on http://www.securitytube.net/groups?operation=view&groupId=7 Here I will be demonstrating buffer overflow on a strcpy or echo server that is written in c programming language by Vivek Ramachandran. All you need to do is double click on the Server-strcpy.exe file to run the server. Configuration/Setup:

Whitehat Wargame websecurity challenges

Image
 Walkthrough of some Web security challenges that are present at Whitehat wargame https://wargame.whitehat.vn/Challenges/List/2 Note: It is the walkthrough of challenge that is present not at the above link. It is not a CTF WebSecurity Challenge Web001

Pentester Academy Command Injection ISO basilic 1.5.14 exploit

Image
This writeup is published on infosecinstitute.          Pentester academy has launched a Command Injection ISO virtual image of Ubuntu with lots of real world vulnerable application framework. Refer the following link for download and information purpose: https://www.vulnhub.com/entry/command-injection-iso-1,81/ http://www.pentesteracademy.com/course?id=12 Lab setup: 1) Kali linux (Bridged or NAT) . My Kali Linux Ip was 192.168.1.102 2) Command Injection ISO (Bridged or NAT). My target IP was 192.168.1.103 Login into command injection ISO with user name securitytube and password 123321 to check for the DHCP ip address allocated or simply do a ping scan (nmap -sn) Checking out for port 80 on Command Injection ISO (192.168.1.103)

Minishare 1.4.1 Bufferoverflow

Image
You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close

MS SQL Pentest

Image
     In few of me internal pentest engagement I was able to enumerate IP and credentials of database server, either by brute-forcing or searching the code for database connect string.      In last 6months I got the database credentials twice in client side code excluding the successful brute-force.     Previously when I use to get the credentials, I try to connect the server using a local client. Eg. If I get credentials of MS SQL Server then I download some client for it and try to view the database.     This time I was not really interested in doing that. Instead I was thinking to escalate my privilege and do something more than just viewing the database, because when I was reading the walk-through of Kioptrix it states that we can gain code execution using some commands executing in sql format.    So I googled ways to enumerate mssql and I got a very good link https://www.offensive-security.com/metasploit-unleashed/admin-mssql-auxiliary-modules/

Port forwarding and pivoting

Image
"This blog is already published on infosecinstitute" In computer networking , port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall . This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host   More info on Port forwarding Lab Setup: Requirement         Three Machine         1 - Attacker (Kali)         2 - WinXP         3 - Linux (Metasploitable or any vulnerable Linux Machine). Vmware IP Setup Attacker         eth0 - (C Class IP) eg. 192.168.1.104 WinXP         1 Ethernet - (C Class IP) eg.1 92.168.1.131  

De-Ice 1.20b Walkthrough

Image
                     Well 15 days back I have written Walk-through of De-Ice 1.120a On My Blog . I got great response by vulnhub and they published my walk-through  https://www.vulnhub.com/author/trnform3r,152/ With a such a warm encouragement I feel like writing more walk-through. Here Is my walk-through on De-Ice 1.20b. You can download the VM and get more info about it form here . Note: The attacker machine and the VM should be in the subnet of 192.168.1.0/24 Labsetup:  1 - Open Vmware - > Edit - >"Virtual Network Editor" 2 - Click on "Add Network" and add any 1 Network example VMnet2 3 - Select VMnet2 and change Subnet IP - 192.168.1.0 and Subnet mask - 255.255.255.0 also select "Host - Only" 4 - Now add this adapter VMnet2 for both the machine. When you start the VM it looks something like this.