Security Archives • My Internet Activity

May 27, 2017 by

Playing Around With PentestIt.Ru Testlab v.10 – Part 2

Lets continue the last article since i was busy with my real life. From the last article i successfully get into the server from SSH service. Now lets enumerate the network inside the server based on this network diagram. First, lets check if Nmap already installed on the server:

e.lindsey@tl10-ssh:~$ nmap -version

Nmap version 6.00 ( http://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.1.5 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmap-libdnet-1.12 ipv6
Compiled without:
e.lindsey@tl10-ssh:~$

1

2

3

4

5

6

7

e.lindsey@tl10-ssh:~$ nmap -version

Nmap version 6.00 ( http://nmap.org )

Platform: x86_64-unknown-linux-gnu

Compiled with: liblua-5.1.5 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmap-libdnet-1.12 ipv6

Compiled without:

e.lindsey@tl10-ssh:~$

Great!! lets mapping the network.

April 10, 2017 by

Playing around with pentestit.ru testlab v.10 – Part 1

Lets playing around with pentestit.ru testlab v.10. Target IP : 192.168.101.9 Nmap :

$ nmap 192.168.101.9 -A

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-09 22:27 EDT
Nmap scan report for gds.lab (192.168.101.9)
Host is up (0.56s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey: 
|   1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|   2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
|_  256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA)
25/tcp   open  smtp    CommuniGate Pro mail server 6.0.9
|_smtp-commands: SMTP EHLO gds.lab: failed to receive data: connection timeout
80/tcp   open  http    nginx 1.10.1
|_http-server-header: nginx/1.10.1
| http-title: 400 Bad Request
|_Requested resource was http://store.gds.lab
443/tcp  open  http    nginx 1.2.1
|_http-server-header: nginx/1.2.1
|_http-title: Security Blog by GlobalDataSecurity
8100/tcp open  http    CommuniGate Pro httpd 6.0.9
| http-methods: 
|_  Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR
|_http-server-header: CommuniGatePro/6.0.9
|_http-svn-info: ERROR: Script execution failed (use -d to debug)
|_http-title:  CommuniGate Pro gds.lab Entrance
| http-webdav-scan: 
|   Server Type: CommuniGatePro/6.0.9
|   Public Options: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR
|   Allowed Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR
|   WebDAV type: Unkown
|   Server Date: Mon, 10 Apr 2017 02:28:28 GMT
|   Directory Listing: 
|     /
|     /CalDAV/
|     /CalDAV/INBOX/
|     /CalDAV/Outbox/
|     /WebDAV/private/caldav/
|_    /CalDAV/Notify/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 164.07 seconds

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

$ nmap 192.168.101.9 -A

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-09 22:27 EDT

Nmap scan report for gds.lab (192.168.101.9)

Host is up (0.56s latency).

Not shown: 995 filtered ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)

| ssh-hostkey:

| 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)

| 2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)

|_ 256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA)

25/tcp open smtp CommuniGate Pro mail server 6.0.9

|_smtp-commands: SMTP EHLO gds.lab: failed to receive data: connection timeout

80/tcp open http nginx 1.10.1

|_http-server-header: nginx/1.10.1

| http-title: 400 Bad Request

|_Requested resource was http://store.gds.lab

443/tcp open http nginx 1.2.1

|_http-server-header: nginx/1.2.1

|_http-title: Security Blog by GlobalDataSecurity

8100/tcp open http CommuniGate Pro httpd 6.0.9

| http-methods:

|_ Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR

|_http-server-header: CommuniGatePro/6.0.9

|_http-svn-info: ERROR: Script execution failed (use -d to debug)

|_http-title: CommuniGate Pro gds.lab Entrance

| http-webdav-scan:

| Server Type: CommuniGatePro/6.0.9

| Public Options: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR

| Allowed Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR

| WebDAV type: Unkown

| Server Date: Mon, 10 Apr 2017 02:28:28 GMT

| Directory Listing:

| /

| /CalDAV/

| /CalDAV/INBOX/

| /CalDAV/Outbox/

| /WebDAV/private/caldav/

|_ /CalDAV/Notify/

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 164.07 seconds

Lets check HTTP header on port 80 :

$ curl -I http://192.168.101.9
HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Mon, 10 Apr 2017 00:34:08 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.4.45-0+deb7u5
Set-Cookie: PHPSESSID=fcll0vv9bgfv5t8qf2nklig4p3; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: default=963592ccd56622f61d552345b8; path=/; httponly
Set-Cookie: language=en-gb; expires=Wed, 10-May-2017 00:34:08 GMT; path=/; domain=192.168.101.9
Set-Cookie: currency=USD; expires=Wed, 10-May-2017 00:34:08 GMT; path=/; domain=192.168.101.9

1

2

3

4

5

6

7

8

9

10

11

12

13

14

$ curl -I http://192.168.101.9

HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Mon, 10 Apr 2017 00:34:08 GMT

Content-Type: text/html; charset=utf-8

Connection: keep-alive

X-Powered-By: PHP/5.4.45-0+deb7u5

Set-Cookie: PHPSESSID=fcll0vv9bgfv5t8qf2nklig4p3; path=/; HttpOnly

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: default=963592ccd56622f61d552345b8; path=/; httponly

Set-Cookie: language=en-gb; expires=Wed, 10-May-2017 00:34:08 GMT; path=/; domain=192.168.101.9

Set-Cookie: currency=USD; expires=Wed, 10-May-2017 00:34:08 GMT; path=/; domain=192.168.101.9

I tried to open the IP address through web browser but its like taking forever to load the page. 🙁 Ok, lets examine the source of the page:

<html dir="ltr" lang="en">
<!--<![endif]-->
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>GDS WARE</title>
<base href="http://store.gds.lab/" />
<meta name="description" content="GDS WARE" />
<meta name="keywords" content= "GDS WARE" />

1

2

3

4

5

6

7

8

9

10

<head>

I found store.gds.lab domain inside

April 9, 2017 by

PHP – Fully Undetectable Web Shell

Today, i wanna try to create a simple undetected (hopefully FUD) web shell backdoor. I am using VirusTotal (yes, i want them to check my file, lol..). So, what is FUD? Fully undetectable (usually shortened as “FUD”) can stand for data that had been encrypted, making it appear to be random noise. It can also stand

April 9, 2017 by

Buffer Overflow Golang Fuzzer (64bit)

Hi there, Today i just want to share about buffer overflow and a fuzzing tool to check buffer overflow vulnerability. What is Buffer Overflow? A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. Since buffers are created