Jump to content
×
×
  • Create New...

D4rkS0u1

Members
  • Posts

    6
  • Joined

  • Last visited

  • Days Won

    3

D4rkS0u1 last won the day on December 7 2021

D4rkS0u1 had the most liked content!

2 Followers

About D4rkS0u1

Recent Profile Visitors

507 profile views

D4rkS0u1's Achievements

Rookie

Rookie (2/14)

  • One Month Later
  • Week One Done
  • Conversation Starter

Recent Badges

13

Reputation

  1. Hello Researchers, Let's Just Quickly Talk About our Topic What is Recon ? Recon or Reconnaissance is the technique or a procedure used in information security to determine about our target, Generally during a pen test or during any boot-to-root style capture the flag, reconnaissance is the basic thing to do. Now in this post I'll be sharing some of my own techniques I use during a recon. PORT SCANNING Port scanning is the basic thing to do during reconnaissance but we are not going to talk about some basic tools and techniques for scanning ports, if you want really quick results and you don't have to waste time on your initial step even with very low specs do this (by the way I'm nmap user) cool kids using rust and mass these days but yeah NMAP is better overall according to me. Now, what I generally do, I just do a basic scan with simple argument [email protected]:~ nmap 192.168.xx.xx now it'll result us back basic result of open ports but here to work on, but here's a catch that nmap only look for initial 10,000 ports by default, after getting few ports to look back we can do one more step to get things done quickly [email protected]:~ nmap -p- -v 192.168.xx.xx "-p-" argument let us have full port scan over 65,535 ports and "-v" argument stands for verbose so it will display ports as it finds them. Most of people do a mistake that they use "min-rate" argument to get results fast but sometimes it could skip some ports and that leads to a massive lost as a pen tester. Now after you've this result displayed on your screen and if you need proper scan for your report or for your notes you can do one thing [email protected]:~ nmap -sC -sV -pxx,xx,xxxx,xxx, 192.168.xx.xx by using "-p" argument it will only scan for given ports. Directory Enumeration and Fuzzing Let's Suppose we've a http server running on our target machine or server and we've a website to test on, For Directory Busting I use Gobuster and with SecLists it become very dangerous because SecLists is the thing which have collection of massive wordlists specific for directory enumeration, I use my some common sense and webapplizer to expose technology used for the website like php, So let's have a example [email protected]:~ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt -u http://normalweb.net -x php Now why do i use "raft-small-words" is just because it contain .git and big.txt doesn't have that, now if i found .git I could use Git Dumper and so much interesting depends on how you use your approach to test your target. this was just a basic approach but mostly people skip a really important step they enumerate that parent directory they working on for example if you got something like "sources" they'll just left it behind and I really did this mistake million times and I regret most of the time so in my opinion don't skip anything [email protected]li:~ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://normalweb.net/sources Now's let's talk about fuzzing little bit, Fuzzing is the really important step that most of people skip but whenever if you lands on some kind of dead end like 404 not found and 301 forbidden make sure to fuzz the path once before making a regret because it happened to me mostly during ctfs, when I skip fuzzing. I really like wfuzz for the fuzzing also I'll advice to use wfuzz it is really easy to use. [email protected]:~ wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.x.xx/FUZZ So don't do these mistake or bang your head on the wall. Looking For Basic Vulnerabilities Now this is very common mistake and this mistake can make us distracted, whenever you find a website always to try to connect things like check the web socket requests that used for chat (they mostly vulnerable to blind sql injection) and also look for some kind of input field to do some kind cross site scripting and try all kind of Injection like ssti and xxe. If i look for web i mostly check all the owasp top 10 and also sans top 25, also don't forget to check the url because we can have some type lfi or IDOR. Heyy this is not the end just enough for part 1, we'll be back and start our topic from where we've left today. Catch me on my socials :- YouTube , Instagram
  2. Hello Researchers, there was a remote code execution vulnerability in apple's macOS, apple gave a update to fix but the vulnerability didn't patched successfully and it's still functional on latest MacOS. About the vulnerability A vulnerability discovered by Park Minchain in Apple's Latest MacOS Finder that allows files whose extension is inetloc to execute any command, these files can be embedded inside them without providing a prompt or warning to the user. The Vulnerability affects macOS Big Sur and prior versions of mac, now let's understand the vulnerability. Originally inetloc files are shortcuts to an internet location, such as RSS feed or a telnet location and contains the server address and possibly a username and password for SSH and telnet connection. It can be created by typing URL in a text editior and dragging the text to the Desktop. Now the inetloc is referring to a "file://" protocol which allows running locally user's computer files. If the inetloc file is attached to an email and sent to someone, clicking the attachment will trigger the vulnerability without warning. Latest version of macOS have blocked the "file://" prefix but however case matching cause bypass the fix. something "File://" or "fiLe://". Exploit <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>URL</key> <string>FiLe:////////////////////////System/Applications/Calculator.app</string> </dict> </plist> Proof of Concept videoplayback.mp4
  3. Prerequisite :- Basic knowledge about Linux and Understanding of some code 🙂 So let's start.... What are Executables ? So let's understand the concept of executables, these files are run as a process in an operating system for example ELF which stands for executable and linkable file format these files are kind of similar to windows EXE files. Let's Take a example of basic hello world program in C Language. #include <stdio.h> int main() { printf("Hello World\n"); return 0; } OUTPUT - Now if this peace of code will not run, we've to compile it to make it executable in order to run the program. GCC is a very good C compiler but it doesn't covert the C Code into executable directly. it consists few process like generation of assembly code, object files and link them etc before producing the final executable product. Executable and Linkable File Format (ELF) - ELF File is basically a binary file and we know that. it is made up of some binary chunks like headers, sections, seqments etc..., header contains the meta information that helps the process of execution. Sections are other part of binary data that server specific purposes for example .text section has the code that needs to be executed and .data section contains initialized variable values. When the ELF file got executed it became process and the process has its own memory, their all the sections get mapped onto and there are some data structure that's also get allocated to the memory for this program to run like stacks, In binary exploitation we'll attack stack but now just remember that each process have some memory space and it follows some kind of layout. each of these instructions are read from the .text section and executed by the cpu because it has the code to be executed as we've talked about this earlier in the post. Looking into ELF - I've written this basic C code that takes input to the user and output it. #include<stdio.h> void main() { char name[20]; printf("Enter Your Name : "); scanf("%s",&name); printf("Your name is : %s", name); getch(); } OUTPUT - Now as you can read the code it will take your name and print on the screen after the compilation. what if we run strings on the executable files, let me give you a short introduction about strings. this is just a program which reads the file and output human readable format. you can use the following command to check this by yourself - strings main.exe Strings of an exe file can be seen via following command In our case i found the word hello after running the command that we used to print out the message. if you want to see the hexadecimal dump you can do with xxd. there is also a tool called readelf that will parse the binary and give information. Readelf break down of an exe compled C Program Hope you'll like my post and for more connecting me on social media you can check the given links and i'll try to post more threats like this one Enjoy !!! Youtube :- www.youtube.com/techsolutionhindi Instagram :- www.instagram.com/tech.solutionhindi
  4. HackTheBox is a really good platform for CTF Players, you'll learn something new in every single machine as well as I like this platform because the way how unique every machine is Recon :- if you want to own machines, make sure you're Recon should be good. Enumeration is the key of success Port Scan :- Port Scan is the initial stage of recon, as soon as you get the ip of machine you should scan for open ports but the mistakes I did during the port scan was following - Not Scanning For UDP Ports (-sU for nmap) -Only Scanning For top 10,000 Ports (Default settings of nmap) -Not using Nmap Scripting Engine as you can clearly see I'm not the cool rust or masscan guy. I'm NMAP user. as soon as your port scan finished, you should look for ports and try to find something unique because generally a normal easy machine have 80 Port fot Web Server and 22 For SSH. Try finding something unique server and you can use our best friend google, who'll tell everything regarding the service running on port. You can check some other old exploits if they're vulnerable to the service. ========================== Directory Enumeration :- You never know what directories are in the web server, and I found fastest way to Enumerate it. Many hackers use ffuf or dirb but belive me gobuster is very fast also it saves our time as well as with the bunch of arguments you can make gobuster really good and save outputs. i use SecLists for Scanning for Directories, you can try raft-small-words-lowercase if the server is Linux or you can use small words if the server is running NTFS File System. Cuz, causing doesn't matter in NTFS. ========================== RCE and File Upload :- When I found nothing on the server I check for some input parameters and check for something in source code or try to identify the cms or the programming language is being used. In most of the easy boxes, I've seen web is vulnerable somewhere. You can try some basic attacks like SSRF, SSTI, Sqlite Injection, NoSql Injection, Cross Site Scripting, OS Command Injection, LFI, XML Entity Injection, Deserialization etc.... OR you can check the version of the cms and check the change log. i don't recommend using plugins like web applizer and others cuz, I like to do things by myself. Also don't forget to check for some file upload and try to bypass some file extensions using burp. ========================== Lateral Movement :- Now we've the case that our shell has popped up and we've to get user flag. Demon user have the least permission to move around. So we can check for some processes and the permission to look around, and I used to check if I'm permissible to run a script and we can use /tmp or just move around to look forward. I don't like linpeas because it's my opinion to do things manually and depending upon script isn't a good thing. ========================== Privilege Escalation :- Now we've user shell, I used to ran sudo -l to check for what I'm permissible for and in most of the cases you'll find that you can run a script with root. And you allready know what to do. I Used to grab ssh private key or put up reverse shell. Best Wishes - D4rkS0u1
  5. Critical Flaw Leaves Azure Linux VMs Vulnerable to Remote Code Execution Azure users running Linux virtual machines are at risk of compromise unless they upgrade now,” said Cado Security in its analysis of the flaw and its exploitation, noting that “a vulnerable piece of management software in the Open Management Infrastructure (OMI) framework can be remotely exploited by attackers enabling them to escalate to root privileges and remotely execute malicious code Resources To Learn More :- LAB SETUP For OMIGod Exploit :- How To Detect OMIGOD (For Defensive Security) :- More Resources :- Happy Learning - Dark Soul
  6. Like always HackTheBox has announced another medium difficulty Machine on this Saturday, ------------------------------------ Pit will be retired very soon, from my experience pit was really great box in learning cuz I learn a lot from pit.