Posted on by

AntiVirus Evasion With Exocet

Hello aspiring Ethical Hackers. In this article, you will learn about AntiVirus Evasion with the help of a tool named Exocet. Exocet is a Crypter type malware dropper. A Crypter is a software that is used to make malware undetectable. It performs functions such as encrypting, obfuscating and manipulating the code of the malware to make it undetectable.

EXOCET is one such Crypter-type malware dropper that can be used to recycle easily detectable malware payloads. EXOCET achieves this by encrypting those malware files using AES-GCM (Galois/Counter Mode) and then create a dropper file for a majority of target architectures and platforms.

Written in Golang programming language, the steps involved in making malware undetectable by EXOCET are,

  1. It first takes malware that is easily detectable by Anti Virus engines as input.
  2. It then encrypts this easily detectable malware and produces it’s own Go file.
  3. This Go file can be cross-compiled to 99% of known architectures like Linux, Windows, Macs, Unix, Android and IPhone etc.
  4. Upon execution, the encrypted payload is written to the disk and immediately executed on the command line.

Let’s see how it works. First, we need to install Golang on Kali as Exocet is a Go program.

Once Golang is successfully installed, clone the repository of Exocet. It can be downloaded from here.

We need to install the EXOCET source files in golang.  We can do this using the command shown below.

Exocet is successfully installed. Now, let’s test it. We create a reverse shell payload with Msfvenom first.

We copy this payload to our target system which is Windows 10. The Windows Defender easily detects it (obviously) and classifies it as malware.

This is expected. Next, We copy this easily detectable payload to the directory of Exocet.

Then we run the following command using Exocet. This will create a new golang file called outputmalware.go.

Then we run the following command to create a Windows 64 bit payload.

av evasion

Our result is the exocet_payload.exe. We start a Metasploit listener on the attacker system and copy the Exocet payload to the target.

This time the payload goes undetected as shown below.

This is how we perform AntiVirus Evasion with Exocet Tool.

Posted on by

How to install Parrot OS in VMware

Hello aspiring ethical hackers. In this article, you will learn how to install Parrot OS in VMware. Parrot OS is an operating system designed for pen testing similar to Kali Linux. It is free and open source GNU/Linux distribution based on Debian designed for security experts, developers and privacy aware people. It includes a full portable arsenal for IT security and digital forensics operations. It also includes everything you need to develop your own programs or protect your privacy while surfing the net.

There are two ways of installing Parrot OS in VMware. They are,

  1. Using a OVA file
  2. Using a ISO file

1.Installing Parrot OS using a OVA file

Let’s first see how to install Parrot OS in VMWare using the OVA file provided by the makers of Parrot OS. You can download the OVA file of Parrot Security OS from the “virtual” section here. Once the OVA file is finished downloading, Open VMWare and click on “Open”.

Enable the checkbox to accept the terms and conditions and click on “Next”.

In the new window that opens, browse to the OVA file you downloaded and click on “Import”.

If you get an “import failed” error as shown below, click on “Retry”.

The import process should start as shown below.

Once the importing process is finished, power on the virtual machine.

The installation is finished.

2. Installing Parrot OS using a ISO file

Now, let’s see how to install Parrot OS using an ISO file. Download the LIVE image from the Parrot Security OS page. Once the download is finished, open VMware Workstation (Version 12 used for this article) and hit “CTRL+N”. The below window should open.

Make sure the “Typical” option is selected and click on “Next”. That takes us to the next window. Initially, the “installer disc image file” field should be empty. Click on “browse” and navigate to the location of the ISO file we just downloaded and select it. Now the window should look like below. Click on “Next”.

The guest operating system should be automatically selected for you. If not, select Linux as OS and version as Debian 8.x (since I am installing a 32bit OS, make it Debian 8.x64 if you are installing 64bit OS). Click on “Next”.

Choose the name of virtual machine and its location as you like. I named it “Parrot”. Click on “Next”.

Allocate the hard disk memory for your virtual machine. Keep the minimum as 20GB. Click on Finish.

It will show you a summary of all the selections you made. If you want to make any changes, click on “Customize hardware” button. Otherwise, click on “Next”.

The virtual machine is created with the name you gave it. Power on the virtual machine. It will boot and take you to the interface shown below. Choose the “Install” option. In the next window select “Standard Installer”. You can select these options using “tab” button.

Select the language in which you want to continue the installation process. Here, I chose English.

Select your country. I chose location as India.

Select the keyboard configuration you want.

It is important to set the root password for the machine before we do anything. Set a complex password. Read the suggestions before you set the root password.

Re-enter the root password again to confirm it.

Although you have a root account, it is good practice to use the system as a non root user. The system will prompt you to create a new user account for non-administrative activities. I am creating a user with name “kalyan”. I am giving the same name as username.

Create a password for the user account you just created (non-root user). Make it a good password for security reasons.

Re-type the password again to confirm the password you have assigned.

The next step is partitioning the hard disk. Unless you are an expert or want to try something different, use the entire disk.

The system will warn you before partitioning. Select the disk for partitioning.

It will ask you to choose the partitioning scheme. Choose the first one. It is also recommended for new users.

Next, it will show you changes you have configured before writing the changes to the disk. Select “Finish partitioning and write changes to the disk”.

Confirm for one last time that you want to write changes to the disk by selecting “Yes”.

The installation process will start and may take some time. You can have snacks and come back. After installation finishes, it will prompt whether you want to install GRUB boot loader.

Select “Yes”. Then it will ask you where to install the boot loader. Select the /dev/sda disk.

After the installation is finished, it will show you a message as shown below. It’s time to boot into your new system.

After the system boots, it will present you a login screen. You can login as either root or the non-root user you created . Once you login, your new pen testing distro should look as below.

See how to install Parrot OS in VirtualBox.

Posted on by

How to install Parrot OS in VirtualBox

Hello aspiring Ethical Hackers. In this article, you will learn how to install Parrot OS in VirtualBox. Parrot OS is an operating system designed for pen testing similar to Kali Linux. It is a free and open source GNU/Linux distribution based on Debian designed for security experts, developers and privacy aware people. It includes a full portable arsenal for IT security and digital forensics operations.

In this article, we will be installing Parrot Security OS in VirtualBox using the OVA file provided by the makers of Parrot OS (See how to install Parrot Security OS using the ISO file). You can download the OVA file of Parrot Security OS from here. Once the OVA file is finished downloading, Open VirtualBox and click on “Import”.

Browse to the OVA file we just downloaded and click on “Next”.

All the settings applied to the virtual machine are displayed. Change any settings if necessary and click on “Import”.

When Software License Agreement is displayed, Click on “Agree”.

Virtual box will start importing the Parrot Security OS virtual appliance as shown below.

After the import is complete, it will be displayed in the list of virtual machines as shown below.

We just need to power it up and the attacker machine is ready.

Posted on by

PwnKit : Explained with POC

Hello aspiring ethical hackers. In this article, you will learn how to use PwnKit to elevate privileges on a Linux system. But first things first. What exactly is polkit?

Polkit is a component that controls system-wide privileges in Unix-like operating systems. Put simply, it provides an organized way for non-privileged processes in Linux to communicate with privileged processes. Known earlier as PolicyKit, it’s name was changed to polkit since version 0.105 which was released in April 2012 to emphasize the rewritten component and changed API.

In Linux, you use SUDO to usually execute commands with privileges of a root user. However, it can also be done with polkit by using command pkexec. But the fact is SUDO is more preferred as it is more easily configurable.

So how is this polkit exploited to elevate privileges on a Linux system. A memory corruption vulnerability PwnKit (CVE-2021-4034) was discovered in the pkexec command (which is installed on all major Linux distributions). The vulnerability is present in polkit since the original release of 2009.

The vulnerable targets include but may not be limited to Red Hat 8, Fedora 21, Debian Testing ‘Bullseye” and Ubuntu 20.04. Most of the systems would have now received patches but any OS with no updates should still be vulnerable.

The version of polkit installed can be checked as shown below.

We are testing it on Debian Testing 11.2 (BullsEye). There is another command apart from “pkexec” to interact with polkit from the command line. It is “dbus-send”. It is a general purpose tool used mainly for testing but installed by default on systems that use D-Bus. For example, on a Linux system, D-Bus can be used to create a new user named “hackercool” as shown below.

dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:hackercool string:”blackhat Account” int32:1

This is as simple as that. This command will manually send a dbus message to the accounts daemon to create a new user named “hackercool” with a description of “blackhat Account” and will make the new user a member of SUDO group (as we set the int32:1 flag). Then all that’s left is setting the password to the newly created user.

But before we do any of this, we need to check the time taken to run the above command? This can be done by prepending the time command to the above command as shown below.

It takes almost 7 seconds to execute this command. But wait, why do we need to check the time taken to execute this command? Because we have to kill it at the correct time. Once again why we need to kill it? Well, here’s the answer.

When you run the above command (without time) and terminate it after some time and then polkit asks dbus-daemon for the connection, dbus-daemon correctly returns an error. Here’s where polkit goes wrong. Instead of rejecting the request it treats the request as it came from root process and viola we have an authentication bypass.

However, the timing of the vulnerability is very difficult to detect. Hence we need to kill the command after over half time. Why? it seems polkit asks d-bus daemon for the terminated connection multiple times on different codepaths. Almost all the codepaths handle it correctly except one. We are looking for this one codepath. So if we terminate the command early, privilege escalation may not work correctly.

I hope everything is explained. Now, let’s get into practical exploitation. So what I want to do is run the same command as we ran above to create a new user named “hackercool” but this time killing the process after 5 seconds. As the command takes 7 seconds to complete, I have chosen to terminate this command after 5 seconds. i.e almost more than half time.

As you can see in the image below, a new user named “hackercool” is created and added into SUDO group.

Now, all we have to do is create a password for this user. Note that we have to create a SHA-512 hash. This can be done using OPenssl. Once the hash is created use the dbus-send command once again but this time to create the password for this newly created user. This can be done as shown below.

dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<SHA-512 HAsh’ string:’Ask the pentester’ & sleep 5s; kill $!

pwnkit

It’s done. Let’s login as the new user.

As you can see, we successfully elevated privileges on a target system by creating a new user. To learn Real World Ethical Hacking, Please subscribe to our Monthly Magazine.

Posted on by

WordPress Reverse Shell : Multiple Methods

Hello aspiring Ethical Hackers. In this article you will learn about multiple WordPress reverse shell methods. As you all might already know, WordPress is a popular open source Content Management System (CMS) based on PHP and MySQL or MariaDB as database. It was released in year 2003.

SInce then, it grew out to be one of the most popular CMS around the world. It is used as blogging software, membership site and online store etc. WordPress is used by over 60 million websites.

In this article we will show you how to gain a reverse shell on a WordPress website once we have the credentials of the website. This is a comprehensive collection methods to gain reverse shell on WordPress.
 
This Tutorial assumes that you have already acquired WordPress credentials and can access the WordPress dashboard.

1. Reverse Shell Through Vulnerable Plugins

One of the reasons for the popularity of the WordPress CMS is its plugins. WordPress plugins are additional extensions that are used to extend the functionality of the WordPress CMS. WordPress has over 58,559 plugins. Sometimes these vulnerable plugins are the reason attackers get a reverse shell on the WordPress target.
There are many vulnerable plugins which can be downloaded from websites like Exploit Database. We will use one such WordPress plugin Responsive Thumbnail slider version 1.0. This version of the plugin has an arbitrary file upload vulnerability which is used to upload malicious payload into the website. Since this target doesn’t have this vulnerable plugin installed, let’s upload this plugin ourselves and activate it.

Once the plugin is uploaded and activated, Metasploit can be used to exploit this vulnerable plugin. Start Metasploit and load the wp_responsive_thumbnail_slider_upload module as shown below.

Use check command to confirm if the target is indeed vulnerable.

After setting the credentials and executing the module, a meterpreter session on the target is gained.

Here’s another famous wordpress plugin that can be exploited.

2. Reverse Shell Through Editing WordPress Theme

WordPress Themes enhance the look of the WordPress websites. The content of these theme can be edited to upload a reverse shell on the target. For this tutorial, we will upload the infamous C99 webshell. Here’s more about c99 web shell.

Here’s the 404.php page of the theme has been edited to copy the code of the C99 web shell into that page. Once the edited file is saved all that is needed to be done is visiting that page.

With C99 shell on the target website, there are a host of options to lay with.

3. Reverse Shell Through Uploading A Malicious Plugin

Uploading a malicious plugin is another way of gaining a reverse shell on a WordPress website. Github has many options of these WordPress malicious plugins. Let’s use one of them named malicious wordpress plugin that can be downloaded from here.

After navigating into the “malicious-wordpress-plugin” directory, execute the wordpwn.py script. It will show the usage of the script.

wordpress reverse shell

Execute the script again by setting the LHOST, LPORT and by enabling the handler option. i.e the “Y” option. This will start a Metasploit handler.

By this time, a new file named “malicious.zip” is created in the “malicious-wordpress-plugin” directory.

Upload this plugin into WordPress and activate it just like any other plugin.

This newly uploaded web shell can be accessed from two URLs given below

http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
http://(target)/wp-content/plugins/malicious/QwertyRocks.php

In this specific instance, the web shell got executed by visiting the first URL. This will give us a meterpreter session on the already listening handler.

4. Reverse Shell Through Metasploit Framework

Here is another simple method to gain a reverse shell. Metasploit Framework has a module that uploads a reverse shell as payload once the WordPress credentials are known.

Start Metasploit and load the exploit/unix/webapp/wp_admin_shell_upload module.

Set all the required options that includes credentials and execute the module.

This will give us a meterpreter session successfully. These are the four common methods through which a reverse shell can be achieved on the WordPress. Now, you decide Which is your favorite method of gaining a reverse shell on WordPress?