Liveatc.net shannon high control ATC - Virtual Radar Server - FlightRada...

Liveatc.net shannon high control ATC - Virtual Radar Server - FlightRada...

level1 dojo1 shortcutFoo command line

Off topic subject

okay okay, I know its totally unrelated, never the less, you can get the awesome oddworld munches oddysee from the google play store for none other than 10p

Google Play Store

not sure how long this has been at this price or even how much longer it will stay at this price

ps I was given £1 to spend in the play store a few weeks ago from google, which had about a 6 week expiry so check your emails and see if you've got anything if not check the google rewards app

Back & refreshed

So after a short hiatus I'm back, hope you all are well! I can only apologise for a lack of content or updates but I just needed a break, so over the last 3 or 4 months I've not read any emails at all. NIL. In fact this device hasn't been on since around May, so I've got an absolute shitload of catching up to do and will report back mid week

Peace

Linux+ chapter 1 Understanding command line basics UNAME

OK, so my test version of linux is up and running, in reality I'm using kali linux not for the entire project but just because i using my kali box for some other stuff at the time of writing.

First up the uname command.

As you begin using linux regularly you quickly realise linux uses some extremly powerful commands and there are many many ways to achieve a particular objective.

the difficult thing for me initially with linux is remembering what command does what. This is why getting practical practise is critical in retaining the knowledge who have learned; consider the following problems that need solving,

how do you ?

• print the kernel name
• print the network node hostname
• print the kernel release
• print the kernel version
• print the machine hardware name
• print the processor type
• print the hardware platform
• print all of the above

well this is what i love about linux all of the above can be done with a single command uname 
while the uname command alone doesn't reveal all of the above you need to use switches, for example.

uname -r prints the kernel release -r been the switch

uname --kernel-release does exactly the same thing --kernel-release is the switch used this time.

to get info on nearly all commands in linux use either the man or info command

• man uname
• info uname

if you anticipate doing the linux+ exams you'd certainly will need to start making mental notes of these switches and what they do, to aid us we can create our own custom quiz questions to aid us, but remember everybody learns very differently 
 

overthewire.org BANDIT level13-14

An interesting challenge this. For the first time we move away from file commands and begin making use of commands more a kin to use within network operations

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

as ever with the beauty of *nix there is always more than one way to skin a cat, I simply chose the method that i know.
The full spoiler can be found at youtube

Hacking via wargames with Overthewire.org

I understand why military and security services are constantly wargaming, getting there units prepared for events before they happen, while there can be no substitute for the real thing, failing to prepare is preparing to fail. The same applies when it comes to pentesting, you need to constantly put into practice the skills you learn, one way to do this is via deliberatly vulnerable virtual machines like DVWA or Metasploitable, of which there are many some offline some online these are getting learning/teaching tools for anybody remotely insteresed in any aspect of computer security.
In the previous post I mentioned how I struggle badly with sticking to a project right through to the end, well this is another example. I'd like to introduce an awesome site I first started using back in 2014 that site is
http://overthewire.org/wargames they over a wide varitey of hacking wargames (online) they vary greatly in the skills you will need and the skills you will acquire, as I've now set myself a schedule to aid with all the learning i'm doing i will be updating (well at the very least uploading my videos) as I go along.

When i started on overthewire in 2014 I'd already begun uploading some videos to youtube only in the last week did i notice  something saying PLEASE DON'T UPLOAD SPOILERS, i have 2 issues with that

•  well i have to disagree with that, if people want to not learn anything by reading spoilers that has to be option they are allowed to take if they choose
• after not using overthewire for over 2 years i needed to to get back to the point i was last at on OTW, by looking at my youtube videos i could immediately see where i was last upto.

the latter actually saved me the rig-moral of relearning the techniques i learned the first time i started with OTW, essentially the videos acted as a prompt to quickly bring me upto speed.

When i initially started using overthewire.org i immediately noticed a page called wechall scoring. The top of the page read the following

OverTheWire makes use of a scoreboard provided by WeChall to allow players to track their own progress and promote some healthy competition between players. To make use of this scoreboard for OverTheWire games, you need to follow these steps:

awesome there is a way for me to keep  track of the progress of my activities on overthewire. the first thing i need to do was

1. First, go to WeChall and register for an account.

why the need to register an account at another website i grumbled at first but on the first visit to wechall.net I realised just how many different wargame sites there is out there. Currently at the time of posting there are 58 different wargame/hack sites that incorporates the wechall scoring system.

I've currently only used overthewire although i've briefly had a look at a few of the other sites but I cant recommend this type of practice highly enough, while i'm putting most of my focus into web application security this will help fine tune a lot of other core skills. certainly while hacking on overthewire I've learned a lot of advanced features on some of the basic linux commands like

ls,grep,cat,file,du,type,sort,uniq,strings,gzip

and lots and lots more commands i only ever used for very basic things anyway the bottom line get onto overthewire.org setup wechall scoring on your machine and hack away every day
for now you keep an eye on my overthewire playlist over at youtube which i'll most likely update in batches

PEACE

CompTIA Linux+ LX0-103/LX0-104 Initial assessment

Something that happens quite often for more, is not finishing shit off, its annoying so I m gonna use this blog as i intended it, basically as a note keeper. Truth is while beginning my bug hunting journey I quickly realized there was/is a lot of missing skill sets. They all relate to projects I started previously and never finished, namely

• learning python
• mastering the linux command line

both of which in my eyes are crucial to the bug bounty efforts, so ill keep all my  project notes here, these will be in (note to self format) and is not intended to mean anything to anyone other than myself all though others that may stumble across this blog at some point, it might be relevant to them.

Starting with the introduction assessment test, this test is solely aimed at testing your immediate knowledge of the linux system and potentially help discover any areas of work that need focusing on. so here goes........

--------------------------------------------------------------------------------------------------------------------------- 

1. option D  wrong option B
2. options A & C correct
3. B wrong option D
4. C Correct
5. C & D correct
6. E correct
7. A wrong option C
8. E Correct
9. B Correct
10. B,C,D wrong B,D,E
11. A Correct
12. C,D wrong A,D
13. C Correct
14. B Correct
15. E Correct
16. A Wrong option D
17. B,C Correct
18. D wrong C
19. D Correct
20. B Correct
21. A,B correct
22. B correct
23. A correct
24. B,D Correct
25. A,C correct
26. D correct
27. C wrong B & E
28. E correct
29. A,B wrong B & E
30. C correct

----------------------------------------------------------------------------------------------
 This answer for these are contained within the book, not only do they give you the correct answer but allows tells why the other answers are also wrong, this is an excellent way for my learning, as reading the the wrong answers helps provide possible answers for other questions, for example heres the first answer in full

1. B. The Monitor section defies the monitor options and settings but not doesn't combine it with the video card, so option A is incorrect. The Modeline line defies the available video modes in the Monitor section, but it doesn't define video cards, so option C is incorrect. Option D, the device section is also incorrect; it defines the video card but doesn't match it with a monitor on the system. Option E is incorrect because the module section defines which X server modules (or drivers) are loaded but it doesn't match monitors and video cards. Option B, the screen section, tells the X server about the combination of video cards and monitors that you're using, so it's the correct answer.

Clearly there is a lot of info here and it goes beyond simply explaining the correct answer. I highlight the key parts in the book to aid me.

for the benefit of time and this blog and as this is an initial assessment ill simply post the answers here without the details just to log how many i got right/wrong. I'm quite pleased with the results of the initial assessment test, the key thing here is learning what the wrong answers do

Another brief **yawn** note

ok so things are moving quite rapidly now and to be honest I'm truly overwhelmed with all this pentetsing, from duplicate reports to writing detailed reports and, you are literally learning everyday, the experts are 100% correct web applications are completely full of holes,rest assured im working hard in the background and will give this blog some much need love when I get the chance.

I had my first confirmed bug last week, I've not asked for pubic disclosure yet but will do in the future, although now I'm participating in these bug bounty program I see why some researchers are at logger heads with whether to publicly disclose their vulns or not, well watch this space.

Some things I've learned quickly

• Do not under estimate the power of reading publicly disclosed vulnerabilities. 
• Do not underestimate the knowledge you get from reading the web application hackers handbook [pdf didnt help] I needed the physical book for sure
• OWASP top 10
• The wide range of deliberate vulnerable apps [mutilidae, DVWA, BWAPPS, webgoat etc]
• be patient there are lots of bounty hunters, but there is more than enough bugs for everyone and they wont be going away anytime some.

some annoyances I've come across.

• vendors paying out for bounties which are out scope, while its good  vendors pay and/or acknowledge bugs that are out of scope, just think whats been missed by researchers as they didn't know a particular domain was in scope.
• people begging bounty, yes we all need to eat and i'll be the first to say I'm doing this firstly for the money and as each day goes by and im seeing more and bugs in applications I use I see why people also do this not for the money but for the benefit of everybody involved.

finally

no body was born (as far as I know) with the ability to walk or run, yes we had the means to (legs) but they had to learn first (knowledge) this applies here in this field to, in a nutshell
beginners
dont try run before you can walk

experts/seniors/elders
we all have to start from somewhere

peace

Briefly

I see i haven't posted anything in a while, well fear not, ive created a lot of content, truth is I just dont have time to blog or upload, all that precious time is been spent bug hunting, Still I thought i'd share something you may find valuable on your adventures, a post exploitation guide, which is really handy,

Mubix Post Exploitation Guide

New version of mutillidae released

A new version of mutillidae has been released, the current version is 2.6.34, dont forget to download the md5 checksum for the zip file and then verify the integrity of the download

echo 1ebe063a0b258093b5df45e81fe8954e LATEST-mutillidae-2.6.34.zip | md5sum -c

available from sourceforge

update I've sent jeremy druin aka webpwnized a message stating that after install etc the version shows as 2.6.32 not sure if the error is in the upload or directly in web app it self

awaiting response

update: according to webpwnized this will be fixed in a coming update, for know I can edit the the /includes/constants.php file myself and correct it

Sqli-labs Object: GET - Error based - Single quotes - String lesson 1

Practice sql injection hacking skills using this vulnerable sql framework

browser:iceweasel
os: kali linux
Web App: SQL-Labs

SQLi-LABS can be downloaded from

https://github.com/Audi-1/sqli-labs

There are several lessons and I will iterate through them all starting with less-1

lesson: number 1
Object: GET - Error based - Single quotes - String

This is simple stuff, simply visit

http://192.168.0.9/sqli-labs/Less-1/ 

we are met with an info message

Please input the ID as parameter with numeric value

we can achieve simply appending the following to the url

?id=1

so our full url will now look like 

http://192.168.0.9/sqli-labs/Less-1/?id=1

a users username & password are returned to the screen changing ?id=1 to for example ?id=2 will display different credentials.

To get a simple error message produced on the screen simply append 
' (a single quote) to the url
which returns the following error message 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1    
this bares all the hallmarks of a sql injection vulnerability, so therefore lets fire up sqlmap

sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" --dbs

this gives us the names of the databases

 if your not sure which database to look in you'll have to poke around and see, our target is the security database, next we want to have a look at the available tables therefore our next command is 

sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security --tables

 

  now then the users table looks interesting, lets go ahead and see whats inside, we have the database name and table name now we need to see whats in the column, heres the new command

sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security -T users --columns

awesome the column contains id's passwords and usernames we want to see all that, heres the final command.

sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security -T users -C id,password,username --dump

we have sucessfully a exploited the sql injection vulnerability to retrieve all id's usernames and passwords from the mysql database

remember in the previous post sqlmap-database-takeover-tool-old-skool 
we had to use the --data="" switch this was because the method was post and in this example the method is get therefore there was no need use --data=""
 

SQLMAP Database Hacking - An Easier Way

Using sqlmap in conjuction with burpsuite (easy)

tools:sqlmap, burpsuite
OS: kali linux

previously in this blog post we used passed some parameters to sqlmap to aid in our attack, well there is a faster method of passing data to sqlmap from burpsuite and its easy

navigate to

• http://192.168.0.9/mutillidae/index.php?page=login.php

which is the login page we wish to bypass

• attempt to login using ANY username & ANY password 
• capture the POST request using burpsuite
• right click on the request 
• select save item (then save to your chosen location)

now we can run the sqlmap command easily without passing all the parameters to it  we simply run

sqlmap -r "PATH_TO_SAVED_REQUEST"

I saved the request as sqlmap-practice

This makes it much easier to pass data to sqlmap, however to fully exploit the database ie hack the accounts we still need to find out the following;

database name

database tables

database column

this can only be done (as far as im aware) via experience and/or trial and error

I've utilized this easier method to successfully attack and own all
OWASP A1 (SQL Injection lessons) in mutillidae

SQLMAP - Database takeover tool - the old skool way

Hacking mysql database via SQLMAP

here I will demonstrate a sql injection attack using SQLMAP, I will use this hack to bypass a login

Tools:SQLMAP/Burpsuite
Browser:Iceweasel
Web App:Mutillidae v2.6.30
OS:Kali Linux

First;

• configure browser and proxy (I'm using burpsuite) then head to 

•  http://192.168.0.9/mutillidae/index.php?page=login.php 
• enter some data in the username & password fields
• In burp review the data from the post capture we need some info for it

so using the capture above we can now begin constructing our sqlmap command.

sqlmap --url="ENTER_FULL_URL_HERE" (this is a combination of the host and post field as shown above)

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php"

next part of the command
--data="ENTER_DATA_HERE" (this is actually the body of the post request)

--data="username=admin&password=admcdicndsjcn&login-php-submit-button=Login"

and finally 
--banner (retrieves database banner)

the sqlmap command is now complete. our full sqlmap command is;

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" --banner 

(a truncated video displaying the outcome of the injection)(**banner**) 

BYPASSING A LOGIN USING SQLMAP 

 so we are 100% certain that the mysql database is vulnerable to sql injection, now we will escalate our attack and see what credentials we can grab

So now as we know we need to bypass the loggin presented to us on the login page, we know now that the application vulnerable to sql injection so we will mount an attack to verify this. We already have the main command for the attack already

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login"  

we simply need to append the command slightly, first new command/switch/paramemter we enter is 

--dbs (this tells us the available databases)

there  was 6 options 

form experience I know that the database we need to attack is named nowasp, now we can further ammend our sqlmap command to ;

 remove --dbs (as we now know the name of the databse that we need to hack)
add
-D owasp 
and add
--tables (the tables switch will list all tables within the database owasp)

 again experience tells me i want to retrieve the info held within the accounts table
we can now further ammend our command
remove
--tables
add
-T accounts
add
--Columns (gives us a list of columns to select info from  

bingo we know have a full list of all the columns of info we want to retrieve, in this case i want
firstname
lastname
password
username
we are now ready to complete our sqlmap command and hack so we
remove
--columns 
and add
-C firstname,lastname,password,username
we need to --dump all credentials retrieved so we can see them so we us the --dump command, our full sqlmap injection command is

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" -D nowasp -T accounts -C firstname,lastname,password,username --dump

we have successfully retrieved all usernames & passwords for the login to the system thereby bypassing any need for us to need our own login.



 

Verify checksum of files on linux

when downloading files especially from the Internet, its crucial that you verify your download, this will help you release if the actual you file you have just downloaded has been tampered with in any way by another party.

In this example we have just downloaded WebGoat from the interweb the filename and checksum is displayed in the pic below

filename: WebGoat-5.4-OWASP_Standard_Win32.zip
SHA1 Checksum: eb61e9eadb00ae62796110bedf16366a8a15c02f

to verify this in linux (kali) this is simple, simply enter teh command as shown below 

echo eb61e9eadb00ae62796110bedf16366a8a15c02f WebGoat-5.4-OWASP_Standard_Win32.zip | sha1sum -c - 

sha1sum checksum    

to verify that the  sha1sum matches the filename, the output returned is 

 however if there was a mismatch you will see;

 

OWASP A1 - Injection - Other Commix OS command injection tool

OWASP A1 INJECTION OTHER

tools: commix burpsuite iceweasel

Vulnerable app:Mutillidae V2.6.30

Came across this tool recently commix (Command Injection eXploiter) so i thought i best put it to the test and heres what i did 

commix --url="http://192.168.0.9/mutillidae/index.php?page=dns-lookup.php" --data="target_host=INJECT_HERE&dns-lookup-php-submit-button=Lookup+DNS" --cookie "showhints=1; PHPSESSID=bf0t3nlg0f67u34f36gvaug5r7" --os-cmd="cat /etc/passwd" 

so lets look at where we got these parameters from in detail

--url="http://192.168.0.9/mutillidae/index.php?page=dns-lookup.php"  

--url="" is the param for entering a url, between the quotes is the  ACTUAL url of the web page we want to test command injection on in this case its the dns lookup page of mutillidae 

 --data="target_host=INJECT_HERE&dns-lookup-php-submit-button=Lookup+DNS"

--data="" is the actual param for entering data in this case its the post data of the request produced when submitting the page, we insert the actual data BETWEEN the double quotes. To get the actual data follow these steps

• on the dns lookup page enter a IP or hostname and click Lookup DNS

•  in burp suite highlight the bottom line and replace www.google.com with INJECT_HERE

• then copy & paste the entire line BETWEEN the double quotes

--cookie="" is the param where the  cookie goes

copy the cookie as shown above from burpsuite (or an add on like tamper data) and paste directly between the double quotes

finally we use --os-cmd="cat /etc/passwd" 
--os-cmd="" allows a single os command to be executed
cat /etc/passwd is the command we have injected and gives us a list of users in the system

The output is printed to screen as shown below

A video of the full attack is shown below 

A more (visually improved) method of getting the output of cat /etc/passwd is via commix built in enumeration by using the switch

--users 
watch the video below to see commix in action enumerating users

Enumerating usernames

Enumerating usernames

Tools used;
browser:iceweasel
web app: Mutillidae

This simply will let us know if a username has already been used, to achieve this simply attempt to log in with usernames, it doesn't matter if you don't know the password as we are simply enumerating usernames so we can later launch a brute force attack

first we use one test username we have no idea if this username has been used already (I used the name jess) the result was

therefore there is no username of jess registered on the system

secondly i used a common username admin  the result is

this clearly demonstrates that although the password we supplied was incorrect there is definitely  a username called admin - we can now attempt to brute force the admin username using hydra or burpsuite (intruder)

mutillidae brute force login

Brute Force Web Login using Hydra

OS used: Kali Linux
Tool Used: hydra/ burp suite
web app: mutillidae

here is the command used in full;
hydra -l admin -P /root/Desktop/work/mutillidae/mutilldae-passwords 192.168.0.9  http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"


lets break it down

hydra > this is the name of the brute force program
-l admin > this tells the program to check the username admin (this was gained via enumeration earlier)
 -P /root/Desktop/work/mutillidae/mutilldae-passwords >this is the path to the password file used
192.168.0.9 > this is the host address (ip) of the server 
http-post-form > this is the type of form we are attacking
"/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

 "/mutillidae/index.php?page=login.php > this is the parameter to the login page the " is appended to the beginning

to work out the remainder of the command consider the following

 this was taken from burp suite and is the result of a POST request to the server in an attempt to login, we pass these paramemters in part to hydra to complete the command prior to attacking the login page. Hence the command continues with;
:username=^USER^&password=^PASS^&login-php-submit-button=Login
but there is still one more piece of info we need which is  
:Not Logged In"
the " is appended to the end the Not Logged In is the result of a user not been logged and is what is presented when you visit the log in page without logging in as shown below

remember these parameters will differ depending on the application used
the command

hydra -l admin -P /root/Desktop/work/mutillidae/mutilldae-passwords 192.168.0.9  http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

is now complete and we begin our attack

Brute Force Login Using Burp Suite Intruder

Brute Force Login Using Burp Suite Intruder

tools: burp suite & iceweasel
web app: mutillidae 

Here I use burp suite intruder to brute force the login of the admin user (remember we enumerated this in an earlier video)

here is the full video of how to brute force a login using burp suite

In short

• ensure proxy is working 
• capture a known bad request 
• right click  on request and sent to burp intruder
• set payload position
• load payloads
• attack

Its worth noting the following findings; in short; (in mutillidae)

• where there is a response code of 302 a successful password has been found 
• the length differs when compared to non successful logins, for example in the video 

successful logins have a length of 48763 (in mutillidae via burp suite)
unsuccessful logins have a length of 48669 (in mutillidae via burp suite)

OWASP A2 Broken Authentication and Session Management

OWASP A2 Broken Authentication and Session Management

bypass authentication via cookies

Tools: Burp Suite
web app: mutillidae 

To achieve this hack I do the following

• setup our proxy
• register 2 brand new usernames HelenC & SamF
•  login as HelenC then logout
• login as SamF then logout
• next  (in burp) under proxy > http history > pick out the 2 requests that authenticated both users (they have a response code of 302 AND the method is POST 
  

•  right click on the first post message and select send to comparer (request) 
• right click on the second post message and select send to comparer (request) 

we want to compare the server responses when logging in as both users to see if there is any pattern we can detect, if there is a well defined pattern in the servers responses we might be able to exploit this to gain unauthenticated access to another users data

• next click on the comparer tab and select words

as you can see burp automatically compares the 2 server responses and highlights any changes. From this we can clearly see that  server first responded to the user HelenC with (amongst other things) the following header;
Set-Cookie: uid=24
for Sam this value has increment in value by 1, therefore SamF recieved the following header
Set-Cookie: uid=25

This tells me that server (potentially) increments the value of the set-cookie: uid by 1 each time a user registers. Now I will attempt to exploit this behavior by modifying the value of
Set-Cookie: uid=24
to
Set-Cookie: uid=1

lets see what happens

and it worked we have sucessfully logged in as the admin simply by changing the value of 

Set-cookie: uid= 

in the response from the server

for this hack to work you must log in with a known good  username & password (simply register one yourself)

**pls note there are other paramemters that could be tampered with to achieve the same result but this post is simply about tampering with the 

Set-cookie: uid=

OWASP A1 Injection

sqli extract user info low security

  web app: mutillidae
  browser: iceweasel

In this post we will attempt to extract user data from a database using sql injection

 to test for a sqli vulnerability i simply add a single quote into the Name field
this result in information leakage which aids my attack and also exposes many other vulnerabilities however we are solely concerned with obtaining user info. heres the error message

This tells my the database is MySQL it also crucially tells me the ACTUAL SQL query performed. This alone tells me that the paramemter/field Name is likely vulnerable to sql injection now we simply need to complete the sql statement to give us what we want
so we add some comments to our single quote, we add
OR 1=1
now 1 ALWAYS is equal to 1 therefore we are making the statement true
--
we dont have the password there fore using -- comments out the password request so now our full sqli payload is
' OR 1=1 -- <space after comments>
to achieve this we simply type the sql command in the name field
and as shown in the video all USERNAMES & PASSWORDS have been retrieved