This post deals with recent observations regarding UPnP (Universal Plug and Play) protocol & Routers. In few words, thanks to this protocol, devices (such as file sharing services, games, ..) can be easily connected/deployed.
First, I started to do research on my box to find relevant UPnP functionalities by hand, found some but I had trouble to exploit them. Few days ago, David Middlehurst released a tool called “UPnP Pentest Toolkit”.
... ➦This has been some long time I haven’t written another write-up. This one’s for Kioptrix 3 that you can find here.
$ nmap -sP 192.168.56.1/24
and we got the IP address : 192.168.56.101
.
As it was explained, you need to add 192.168.56.101 kioptrix3.com
in your /etc/hosts.
Then, let’s find what kind of services are running on the host machine.
$ nmap 192.168.56.101 -sV -A
Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-12 20:15 CEST
Nmap scan report for malicious (192.168.56.101)
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
title = "kioptrix 3 write up"
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.59 seconds
Quite obvious, let’s check this Web server !
... ➦Hi there, this post deals with the game released by Google few days ago about XSS vulnerabilities that you can find here.
I’ll enumerate some of the solution I found on the Internet which were (in my opnion) interesting/fun. This post contains the solutions for all levels. Big spoil.
Well, this one was obvious:
<script>alert(1);</script>
For this one, you had different options:
... ➦Hi there,
Quick blog post on the VM “Bobby” which is once of the nicest VM I did so far.
The first step is always the same: discovering the machine on the network. To do so:
$ nmap -sV 192.168.1.1/24
I managed to retrieve the IP address: 192.168.1.11
.
Let’s start to fingerprint the different services to exploit it.
Then, I used Nmap to retrieve the services running:
$ nmap -sV 192.168.1.11
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-15 20:54 CEST
Nmap scan report for 192.168.1.11
Host is up (0.00037s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 5.1
443/tcp closed https
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds
Using Nikto as well:
... ➦EDIT: Added statistics of max-age option.
Hi there,
This blog post deals with HTTP Security Headers on top 10k Alexa websites. Based on this discussion on netsec, I decided to do some statistics on Alexa ranking.
To do this study, I did a GET HTTP Request and saved the headers in the HTTP response. This has been done using Python.
... ➦This post deals with some research I just did regarding (Blind) HQL injections with H2 as the DataBase Management System.
First, you should read this post which gives some really useful information regarding HQL injections in general: HQL for pentesters.
During the assessment, I checked the API calls by using Burp as a proxy and one call was:
http://application/API/Users/?req=id=1
The output was a JSON response, such as:
[{user: "admin", id: "1", firstName:"Admin"}]
If you changed the id with the numeric value 2, and so on.. it was working.
... ➦Hey,
Just a quick post to give you the link to my slides for BSides London today: Here Don’t hesitate if you have any feedback, or any good feature.
You can reach me either on Github and Twitter
Just few words about the conference which was absolutely amazing. Some really great people were here, good atmosphere and people were really helpful.
For sure, I’ll attend it next year.
Cheers,
This post contains the steps to get a root shell with bWapp VM
As always, we need to discover where the machine is on our network. To do so, let’s use Nmap:
nmap -sP 192.168.1.1/24
After getting the IP address (192.168.1.10), we need to do some fingerprinting.
nmap -sV 192.168.1.10
Fig. Nmap scan result
A lot of services were open, such as: VNC, FTP, etc.
... ➦This post contains the steps to get a root shell with Scream VM
This VM can he found here. Have a look to find even more VMs. But before starting the report, I’d like to congratulate g0tmi1k for his awesome tool : VulnInjector.
Ok, let’s do this write-up !
As always, we need to discover where the machine is on our network. To do so, let’s use Nmap:
nmap -sP 192.168.1.1/24
After getting the IP address (192.168.1.2), we need to do some fingerprinting.
... ➦This post contains the steps to get a root shell with Exploit KB Vulnerable Web App 1 VM
This VM can he found here. Have a look to find even more VMs
First, we need to discover where the machine is on our network. To do so, let’s use Nmap:
nmap -sP 192.168.1.1/24
After getting the IP address, we need to do some fingerprinting.
nmap -sV 192.168.1.23
Fig. Nmap scan result
... ➦