JUZ P3NT3$T (-)@$(-)!M

 Walkthrough of some Web security challenges that are present at Whitehat wargame https://wargame.whitehat.vn/Challenges/List/2 Note: It is the walkthrough of challenge that is present not at the above link. It is not a CTF WebSecurity Challenge Web001

This writeup is published on infosecinstitute.          Pentester academy has launched a Command Injection ISO virtual image of Ubuntu with lots of real world vulnerable application framework. Refer the following link for download and information purpose: https://www.vulnhub.com/entry/command-injection-iso-1,81/ http://www.pentesteracademy.com/course?id=12 Lab setup: 1) Kali linux (Bridged or NAT) . My Kali Linux Ip was 192.168.1.102 2) Command Injection ISO (Bridged or NAT). My target IP was 192.168.1.103 Login into command injection ISO with user name securitytube and password 123321 to check for the DHCP ip address allocated or simply do a ping scan (nmap -sn) Checking out for port 80 on Command Injection ISO (192.168.1.103)

You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close

     In few of me internal pentest engagement I was able to enumerate IP and credentials of database server, either by brute-forcing or searching the code for database connect string.      In last 6months I got the database credentials twice in client side code excluding the successful brute-force.     Previously when I use to get the credentials, I try to connect the server using a local client. Eg. If I get credentials of MS SQL Server then I download some client for it and try to view the database.     This time I was not really interested in doing that. Instead I was thinking to escalate my privilege and do something more than just viewing the database, because when I was reading the walk-through of Kioptrix it states that we can gain code execution using some commands executing in sql format.    So I googled ways to enumerate mssql and I got a very good link https://www.offensive-security.com/metasploit-unleashed/admin-mssql-auxiliary-modules/

"This blog is already published on infosecinstitute" In computer networking , port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall . This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host   More info on Port forwarding Lab Setup: Requirement         Three Machine         1 - Attacker (Kali)         2 - WinXP         3 - Linux (Metasploitable or any vulnerable Linux Machine). Vmware IP Setup Attacker         eth0 - (C Class IP) eg. 192.168.1.104 WinXP         1 Ethernet - (C Class IP) eg.1 92.168.1.131