Showing posts from July, 2015

Whitehat Wargame websecurity challenges

Walkthrough of some Web security challenges that are present at Whitehat wargame

Note: It is the walkthrough of challenge that is present not at the above link.
It is not a CTF
WebSecurity Challenge Web001

Pentester Academy Command Injection ISO basilic 1.5.14 exploit

This writeup is published on infosecinstitute.

         Pentester academy has launched a Command Injection ISO virtual image of Ubuntu with lots of real world vulnerable application framework.

Refer the following link for download and information purpose:,81/

Lab setup:
1) Kali linux (Bridged or NAT) . My Kali Linux Ip was
2) Command Injection ISO (Bridged or NAT). My target IP was

Login into command injection ISO with user name securitytube and password 123321 to check for the DHCP ip address allocated or simply do a ping scan (nmap -sn)

Checking out for port 80 on Command Injection ISO (

Minishare 1.4.1 Bufferoverflow

You can download the server from:

Exploit code in ruby:

The vulnerability is a long URL in the GET request.

Lab Setup: 1) Windows xp ( I am using windows xp sp1)
2) Immunity debugger installed on the windows xp machine.
3) Minishare 1.4.1 installed on windows xp running on port 80.
2) Kali linux for scripting and exploiting.

Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below.

Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script.

import socket,sys
buff="GET "
buff+=" HTTP/1.1\r\n\r\n"

Execute the exploit.It is observed t…

MS SQL Pentest

In few of me internal pentest engagement I was able to enumerate IP and credentials of database server, either by brute-forcing or searching the code for database connect string.

     In last 6months I got the database credentials twice in client side code excluding the successful brute-force.

    Previously when I use to get the credentials, I try to connect the server using a local client. Eg. If I get credentials of MS SQL Server then I download some client for it and try to view the database.

    This time I was not really interested in doing that. Instead I was thinking to escalate my privilege and do something more than just viewing the database, because when I was reading the walk-through of Kioptrix it states that we can gain code execution using some commands executing in sql format.

   So I googled ways to enumerate mssql and I got a very good link

Port forwarding and pivoting

"This blog is already published on infosecinstitute"

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host

More info on Port forwarding

Lab Setup: Requirement
        Three Machine
        1 - Attacker (Kali)
        2 - WinXP
        3 - Linux (Metasploitable or any vulnerable Linux Machine).

Vmware IP Setup
        eth0 - (C Class IP) eg.
        1 Ethernet - (C Class IP) eg.1
        2 Ethernet - (A Class IP) e…